Make WordPress Core

Opened 8 years ago

Closed 7 months ago

#34889 closed defect (bug) (fixed)

wp_check_password() and issue with trailing space

Reported by: jperlman's profile jperlman Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.1.1
Component: Login and Registration Keywords: has-patch needs-testing needs-unit-tests dev-feedback 2nd-opinion
Focuses: administration Cc:

Description

I have users logging in via wp-login.php and then filling out a custom form with the last field entered being their WordPress password.

One specific user can login fine to wp-login.php but when she enters information on the form and her WordPress password, validation fails on wp_check_password().

I realized that her password contains a space at the end.

By creating a brand new user and ensuring it contains a space the bug is evident with the test script I've uploaded.

The version of the production site at the moment is 4.1.1 of where I first saw the bug, but I can reproduce this issue on a brand new WordPress install of 4.3.1 and from the github version currently at 4.5-alpha-35794.

Looks like it's related to but different than ticket

https://core.trac.wordpress.org/ticket/23494

Attachments (2)

password.php (497 bytes) - added by jperlman 8 years ago.
plugable.diff (464 bytes) - added by adrianosilvaferreira 8 years ago.

Download all attachments as: .zip

Change History (8)

@jperlman
8 years ago

#1 @adrianosilvaferreira
8 years ago

I've added trim for $password in wp_check_password.

#2 @adrianosilvaferreira
8 years ago

Sorry for the typo plugable.

#3 @adrianosilvaferreira
8 years ago

  • Keywords has-patch needs-testing needs-unit-tests added

#4 @adrianosilvaferreira
8 years ago

  • Keywords dev-feedback 2nd-opinion added

#5 @tyxla
7 years ago

This was implemented on purpose in #24973. It's arguable whether trailing spaces should be allowed in a password.

#6 @rajinsharwar
7 months ago

  • Resolution set to fixed
  • Status changed from new to closed

Hi @tyxla @adrianosilvaferreira @jperlman, following up on this old ticket.

Currently, the password is trimmed for leading or trailing spaces when creating a user, and also when logging a user. The only time spaces are considered in a password is when there are spaces within the password.

For example, if my Password is: "Test Password", then, the space won't be trimmed. I will be needing to enter the password exactly with an equal number of spaces. But, if the password were "TestPassword ", then, I will be able to log in with/without those spaces at the end.

I hope this clarifies. As this issue is already fixed, let's close this ticket for now. Thanks a lot for contributing here.

Note: See TracTickets for help on using tickets.