Make WordPress Core

Opened 11 years ago

Closed 10 years ago

Last modified 10 years ago

#26573 closed defect (bug) (fixed)

Passwords with apostrophes not accepted on install

Reported by: ipstenu's profile Ipstenu Owned by: nacin's profile nacin
Milestone: 3.9 Priority: normal
Severity: normal Version: 3.1
Component: Upgrade/Install Keywords: has-patch commit
Focuses: Cc:


What I did: Installed a fresh version of WP 3.8 and used the password test'ingme

What I expected: I would be able to log in with that password.

What happened: When I went to log in, I was told the password was invalid.

At this point, I did a password rest, put in test'ingme as the new password, and was able to log in.

Then I reinstalled a fresh WP instance on MAMP and got the same problem.

I went all the way back to 3.1 and reproduced there.

Attachments (1)

26573.diff (503 bytes) - added by nofearinc 11 years ago.
wp_slash call on wp_install

Download all attachments as: .zip

Change History (9)

#2 @nofearinc
11 years ago

I've personally tracked it down to wp-includes/class-phpass.php and the crypt_private method which is doing the hashing. I would guess it's related to the encode64 calls even though the single quote shouldn't be marked as any special character that takes more bytes than usual.

11 years ago

wp_slash call on wp_install

#3 @nofearinc
11 years ago

Slashing the password before calling wp_install fixes that for me. wp_install isn't called anywhere else in core from what I found, now the question is whether it should be slashed upfront or inside of the wp_install function (if we consider that other plugins are using the function and are probably slashing there already).

Additional wp_slash( wp_unslash( ... ) ) could be called inside, but I'm not sure how wise would that be (should be backwards compatible though).

#4 @SergeyBiryukov
10 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 3.9

Looks like 26573.diff would resolve #27464 as well. It is also consistent with [24508].

#5 @kirasong
10 years ago

  • Keywords commit added

26573.diff still looks good and seems to function as intended.

#6 @nacin
10 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 27736:

Ensure proper slashing of the password on install.

This isn't the ideal fix, but it makes things work for now.

props nofearinc.
fixes #26573.

#7 @SergeyBiryukov
10 years ago

#27714 was marked as a duplicate.

#8 @dd32
10 years ago

#29670 was marked as a duplicate.

Note: See TracTickets for help on using tickets.