wp_check_password() and issue with trailing space

[jperlman]

I have users logging in via wp-login.php and then filling out a custom form with the last field entered being their WordPress password.

One specific user can login fine to wp-login.php but when she enters information on the form and her WordPress password, validation fails on wp_check_password().

I realized that her password contains a space at the end.

By creating a brand new user and ensuring it contains a space the bug is evident with the test script I've uploaded.

The version of the production site at the moment is 4.1.1 of where I first saw the bug, but I can reproduce this issue on a brand new WordPress install of 4.3.1 and from the github version currently at 4.5-alpha-35794.

Looks like it's related to but different than ticket

https://core.trac.wordpress.org/ticket/23494

[adrianosilvaferreira]

I've added trim for $password in wp_check_password.

[adrianosilvaferreira]

Sorry for the typo plugable.

[tyxla]

This was implemented on purpose in #24973. It's arguable whether trailing spaces should be allowed in a password.

[rajinsharwar]

Hi @tyxla @adrianosilvaferreira @jperlman, following up on this old ticket.

Currently, the password is trimmed for leading or trailing spaces when creating a user, and also when logging a user. The only time spaces are considered in a password is when there are spaces within the password.

For example, if my Password is: "Test Password", then, the space won't be trimmed. I will be needing to enter the password exactly with an equal number of spaces. But, if the password were "TestPassword ", then, I will be able to log in with/without those spaces at the end.

I hope this clarifies. As this issue is already fixed, let's close this ticket for now. Thanks a lot for contributing here.