#26573 closed defect (bug) (fixed)
Passwords with apostrophes not accepted on install
Reported by: | Ipstenu | Owned by: | nacin |
---|---|---|---|
Milestone: | 3.9 | Priority: | normal |
Severity: | normal | Version: | 3.1 |
Component: | Upgrade/Install | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
What I did: Installed a fresh version of WP 3.8 and used the password test'ingme
What I expected: I would be able to log in with that password.
What happened: When I went to log in, I was told the password was invalid.
At this point, I did a password rest, put in test'ingme
as the new password, and was able to log in.
Then I reinstalled a fresh WP instance on MAMP and got the same problem.
I went all the way back to 3.1 and reproduced there.
Attachments (1)
Change History (9)
#2
@
11 years ago
I've personally tracked it down to wp-includes/class-phpass.php
and the crypt_private
method which is doing the hashing. I would guess it's related to the encode64 calls even though the single quote shouldn't be marked as any special character that takes more bytes than usual.
#3
@
11 years ago
Slashing the password before calling wp_install
fixes that for me. wp_install isn't called anywhere else in core from what I found, now the question is whether it should be slashed upfront or inside of the wp_install function (if we consider that other plugins are using the function and are probably slashing there already).
Additional wp_slash( wp_unslash( ... ) )
could be called inside, but I'm not sure how wise would that be (should be backwards compatible though).
#4
@
11 years ago
- Keywords has-patch added
- Milestone changed from Awaiting Review to 3.9
Looks like 26573.diff would resolve #27464 as well. It is also consistent with [24508].
#5
@
10 years ago
- Keywords commit added
26573.diff still looks good and seems to function as intended.
Previously: #24367