Opened 11 years ago
Closed 11 years ago
#24792 closed defect (bug) (fixed)
Post/Page protection password size limitation truncates passwords - is not documented
Reported by: | RayBernard | Owned by: | |
---|---|---|---|
Milestone: | 3.7 | Priority: | normal |
Severity: | normal | Version: | 2.7 |
Component: | Administration | Keywords: | has-patch commit 3.7-early |
Focuses: | Cc: |
Description
In 3.5.1 and 3.5.2 the post/page feature "Visibility: password protected" as documented in http://codex.wordpress.org/Using_Password_Protection truncates entered passwords at 20 characters. A longer password is accepted, and when truncated no notice is provided. Verified with NO PLUGINS activated in TwentyTwelve theme.
Steps to reproduce:
- Edit a page (or post).
- Edit the default "Visibility: Public" settings for a page or post.
- Choose "Password protected" and enter ABCDEFGHIJKLMNOPQRSTUVWXYZ for the password, click OK, then Update (or Publish).
- View the page, which now has "Protected" status, and enter the full password (A through Z). The page redisplays prompting again for password. This time enter just the first 20 characters (ABCDEFGHIJKLMNOPQRST). The password is accepted and the page displays.
- Edit the page again, and edit the "Visibility: Password protected" setting. You will see the truncated password. Click in the Password entry box and press the down arrow key. You will find two entries: the truncated password and the original long password.
Go to the Codex documentation and view the Password Form Text section. You will see example code for adding a filter to replace the default password entry form with a custom form. The example password INPUT field contains 'size="20"' -- but that is a display limitation not an input restriction, which would require using 'maxlength="20"'.
MAXLENGTH
The maximum number of characters that will be accepted as input. This can be greater that specified by SIZE , in which case the field will scroll appropriately. The default is unlimited.
The following post on WordPress Answers states that the limitation is a database limitation. See http://wordpress.stackexchange.com/questions/55975/how-can-i-increase-the-character-limit-for-post-passwords.
There are hundreds of posts on the Web each year going back to 2008 stating that the post/page password protection feature was not working. I suspect that some of these were due to the 20-character truncation.
I reported this as a bug because it is a documentation defect. I did not wish to confuse things by requesting the capability to enter a longer password (new feature request?), or in any way detract from the importance of correcting the codex documentation to include this hidden limitation.
Here are two example documentation changes:
- Insert a section titled "Password Size Limitation":
Password Size Limitation
Currently the password is limited to no more than 20 characters. Passwords longer than 20 characters will be truncated to 20 characters.
- Correct the example code so that it actually limits the character input to 20 characters using maxlength. Such as:
function my_password_form() { global $post; $label = 'pwbox-'.( empty( $post->ID ) ? rand() : $post->ID ); $o = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" method="post"> ' . __( "To view this protected post, enter the password below:" ) . ' <label for="' . $label . '">' . __( "Password:" ) . ' </label><input name="post_password" id="' . $label . '" type="password" size="20" maxlength="20" /><input type="submit" name="Submit" value="' . esc_attr__( "Submit" ) . '" /> </form> '; return $o; } add_filter( 'the_password_form', 'my_password_form' );
FINALLY, please either correct the input field in the Visibility box to limit character input to 20 characters, or PREFERABLY expand the password length to 64 characters (documenting this change, of course, and limiting the password entry to the new length).
Attachments (1)
Change History (13)
#1
@
11 years ago
- Summary changed from Post/Page password size limitation truncates passwords - is not documented to Post/Page protection password size limitation truncates passwords - is not documented
#2
@
11 years ago
- Component changed from General to Administration
- Keywords has-patch needs-codex added; post/page-password-protection needs-codex-update removed
#3
follow-up:
↓ 4
@
11 years ago
- Keywords needs-codex removed
24792.diff sticks with the 20-character limit and the Codex example/sub-section has been updated to reflect the current limit.
#4
in reply to:
↑ 3
;
follow-up:
↓ 5
@
11 years ago
Replying to DrewAPicture:
24792.diff sticks with the 20-character limit and the Codex example/sub-section has been updated to reflect the current limit.
Will the WordPress code be changed in the future so that the password entry in the UI is also constrained to the 20-character limit, or whatever the limit may be set to in future revisions?
#5
in reply to:
↑ 4
@
11 years ago
Replying to RayBernard:
Will the WordPress code be changed in the future so that the password entry in the UI is also constrained to the 20-character limit, or whatever the limit may be set to in future revisions?
It's possible. I've uploaded a patch that would accomplish it. Now it's up to the contributing developers/committers to decide its merit.
#6
@
11 years ago
- Keywords commit 3.7-early added
- Milestone changed from Awaiting Review to Future Release
- Version changed from 3.5 to 2.7
#7
@
11 years ago
That's fine for a short-term fix. We really should increase that field length though.
Related: #10483
#10
follow-up:
↓ 11
@
11 years ago
Can someone find or open a ticket for lengthening the field? After that, let's close this one as fixed.
24792.diff sets
maxlength
on thepost_password
input. I'll take care of the Codex changes.