Make WordPress Core

Opened 11 years ago

Closed 11 years ago

#24792 closed defect (bug) (fixed)

Post/Page protection password size limitation truncates passwords - is not documented

Reported by: raybernard's profile RayBernard Owned by:
Milestone: 3.7 Priority: normal
Severity: normal Version: 2.7
Component: Administration Keywords: has-patch commit 3.7-early
Focuses: Cc:

Description

In 3.5.1 and 3.5.2 the post/page feature "Visibility: password protected" as documented in http://codex.wordpress.org/Using_Password_Protection truncates entered passwords at 20 characters. A longer password is accepted, and when truncated no notice is provided. Verified with NO PLUGINS activated in TwentyTwelve theme.

Steps to reproduce:

  1. Edit a page (or post).
  2. Edit the default "Visibility: Public" settings for a page or post.
  3. Choose "Password protected" and enter ABCDEFGHIJKLMNOPQRSTUVWXYZ for the password, click OK, then Update (or Publish).
  4. View the page, which now has "Protected" status, and enter the full password (A through Z). The page redisplays prompting again for password. This time enter just the first 20 characters (ABCDEFGHIJKLMNOPQRST). The password is accepted and the page displays.
  5. Edit the page again, and edit the "Visibility: Password protected" setting. You will see the truncated password. Click in the Password entry box and press the down arrow key. You will find two entries: the truncated password and the original long password.

Go to the Codex documentation and view the Password Form Text section. You will see example code for adding a filter to replace the default password entry form with a custom form. The example password INPUT field contains 'size="20"' -- but that is a display limitation not an input restriction, which would require using 'maxlength="20"'.

MAXLENGTH
The maximum number of characters that will be accepted as input. This can be greater that specified by SIZE , in which case the field will scroll appropriately. The default is unlimited.

The following post on WordPress Answers states that the limitation is a database limitation. See http://wordpress.stackexchange.com/questions/55975/how-can-i-increase-the-character-limit-for-post-passwords.

There are hundreds of posts on the Web each year going back to 2008 stating that the post/page password protection feature was not working. I suspect that some of these were due to the 20-character truncation.

I reported this as a bug because it is a documentation defect. I did not wish to confuse things by requesting the capability to enter a longer password (new feature request?), or in any way detract from the importance of correcting the codex documentation to include this hidden limitation.

Here are two example documentation changes:

  1. Insert a section titled "Password Size Limitation":

Password Size Limitation

Currently the password is limited to no more than 20 characters. Passwords longer than 20 characters will be truncated to 20 characters.

  1. Correct the example code so that it actually limits the character input to 20 characters using maxlength. Such as:
function my_password_form() {
    global $post;
    $label = 'pwbox-'.( empty( $post->ID ) ? rand() : $post->ID );
    $o = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" method="post">
    ' . __( "To view this protected post, enter the password below:" ) . '
    <label for="' . $label . '">' . __( "Password:" ) . ' </label><input name="post_password" id="' . $label . '" type="password" size="20" maxlength="20" /><input type="submit" name="Submit" value="' . esc_attr__( "Submit" ) . '" />
    </form>
    ';
    return $o;
}
add_filter( 'the_password_form', 'my_password_form' );

FINALLY, please either correct the input field in the Visibility box to limit character input to 20 characters, or PREFERABLY expand the password length to 64 characters (documenting this change, of course, and limiting the password entry to the new length).

Attachments (1)

24792.diff (1.4 KB) - added by DrewAPicture 11 years ago.

Download all attachments as: .zip

Change History (13)

#1 @RayBernard
11 years ago

  • Summary changed from Post/Page password size limitation truncates passwords - is not documented to Post/Page protection password size limitation truncates passwords - is not documented

@DrewAPicture
11 years ago

#2 @DrewAPicture
11 years ago

  • Component changed from General to Administration
  • Keywords has-patch needs-codex added; post/page-password-protection needs-codex-update removed

24792.diff sets maxlength on the post_password input. I'll take care of the Codex changes.

#3 follow-up: @DrewAPicture
11 years ago

  • Keywords needs-codex removed

24792.diff sticks with the 20-character limit and the Codex example/sub-section has been updated to reflect the current limit.

#4 in reply to: ↑ 3 ; follow-up: @RayBernard
11 years ago

Replying to DrewAPicture:

24792.diff sticks with the 20-character limit and the Codex example/sub-section has been updated to reflect the current limit.

Will the WordPress code be changed in the future so that the password entry in the UI is also constrained to the 20-character limit, or whatever the limit may be set to in future revisions?

Version 0, edited 11 years ago by RayBernard (next)

#5 in reply to: ↑ 4 @DrewAPicture
11 years ago

Replying to RayBernard:

Will the WordPress code be changed in the future so that the password entry in the UI is also constrained to the 20-character limit, or whatever the limit may be set to in future revisions?

It's possible. I've uploaded a patch that would accomplish it. Now it's up to the contributing developers/committers to decide its merit.

#6 @SergeyBiryukov
11 years ago

  • Keywords commit 3.7-early added
  • Milestone changed from Awaiting Review to Future Release
  • Version changed from 3.5 to 2.7

#7 @johnbillion
11 years ago

That's fine for a short-term fix. We really should increase that field length though.

Related: #10483

#8 @wonderboymusic
11 years ago

  • Milestone changed from Future Release to 3.7

these are all marked 3.7-early

#9 @nacin
11 years ago

In 25035:

Add a maxlength attribute to the post password input, reflecting the current DB field length.\

props RayBernard, DrewAPicture.
see #24792.

#10 follow-up: @nacin
11 years ago

Can someone find or open a ticket for lengthening the field? After that, let's close this one as fixed.

#11 in reply to: ↑ 10 @DrewAPicture
11 years ago

Replying to nacin:

Can someone find or open a ticket for lengthening the field? After that, let's close this one as fixed.

Oh boy, we've got an old one here. #881 seems to fit the bill.

#12 @nacin
11 years ago

  • Resolution set to fixed
  • Status changed from new to closed

Re-opened #881.

Note: See TracTickets for help on using tickets.