WordPress.org

Make WordPress Core

Opened 4 months ago

Closed 3 weeks ago

Last modified 11 days ago

#26573 closed defect (bug) (fixed)

Passwords with apostrophes not accepted on install

Reported by: Ipstenu Owned by: nacin
Milestone: 3.9 Priority: normal
Severity: normal Version: 3.1
Component: Upgrade/Install Keywords: has-patch commit
Focuses: Cc:

Description

What I did: Installed a fresh version of WP 3.8 and used the password test'ingme

What I expected: I would be able to log in with that password.

What happened: When I went to log in, I was told the password was invalid.

At this point, I did a password rest, put in test'ingme as the new password, and was able to log in.

Then I reinstalled a fresh WP instance on MAMP and got the same problem.

I went all the way back to 3.1 and reproduced there.

Attachments (1)

26573.diff (503 bytes) - added by nofearinc 4 months ago.
wp_slash call on wp_install

Download all attachments as: .zip

Change History (8)

comment:2 nofearinc4 months ago

I've personally tracked it down to wp-includes/class-phpass.php and the crypt_private method which is doing the hashing. I would guess it's related to the encode64 calls even though the single quote shouldn't be marked as any special character that takes more bytes than usual.

nofearinc4 months ago

wp_slash call on wp_install

comment:3 nofearinc4 months ago

Slashing the password before calling wp_install fixes that for me. wp_install isn't called anywhere else in core from what I found, now the question is whether it should be slashed upfront or inside of the wp_install function (if we consider that other plugins are using the function and are probably slashing there already).

Additional wp_slash( wp_unslash( ... ) ) could be called inside, but I'm not sure how wise would that be (should be backwards compatible though).

comment:4 SergeyBiryukov4 weeks ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 3.9

Looks like 26573.diff would resolve #27464 as well. It is also consistent with [24508].

comment:5 DH-Shredder4 weeks ago

  • Keywords commit added

26573.diff still looks good and seems to function as intended.

comment:6 nacin3 weeks ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 27736:

Ensure proper slashing of the password on install.

This isn't the ideal fix, but it makes things work for now.

props nofearinc.
fixes #26573.

comment:7 SergeyBiryukov11 days ago

#27714 was marked as a duplicate.

Note: See TracTickets for help on using tickets.