WordPress.org

Make WordPress Core

Opened 5 years ago

Last modified 2 weeks ago

#35500 assigned defect (bug)

Login page: user can change password on " " but can't log in with new password.

Reported by: antonrinas Owned by: hellofromTonya
Milestone: 5.9 Priority: lowest
Severity: normal Version:
Component: Login and Registration Keywords: has-patch needs-testing has-testing-info
Focuses: Cc:

Description

There is a user:
login: admin
password: admin
role: administrator
STEPS TO REPRODUCE
Click "Lost your password?" on Login page and change it on " " (space character).
Try to login with new password.
EXPECTED RESULT: logging in.
ACTUAL RESULT: "ERROR: The password field is empty."

Attachments (3)

35500.diff (796 bytes) - added by hellofromTonya 2 weeks ago.
Trims and checks for empty pass1. If present, sets error to alert user and allows user to try again.
35500.1.diff (822 bytes) - added by hellofromTonya 2 weeks ago.
Checks for a password of one space or all empty spaces. Does not check on first load.
35500-testing-no-js.gif (1.3 MB) - added by hellofromTonya 2 weeks ago.
Testing of 35500.1.diff patch. Works as expected.

Download all attachments as: .zip

Change History (9)

#1 @johnbillion
5 years ago

  • Keywords needs-patch added
  • Priority changed from normal to lowest
  • Version 4.4.1 deleted

#2 @swissspidy
5 years ago

Simply not using trim() on the password in wp_authenticate() results in a incorrect_password error instead of empty_password. So that's only half of the deal.

I consider using trim() very helpful, e.g. when users accidentally hit space when typing in their password. Since someone rarely if ever changes their password to , I think the downsides outweigh the benefits.

#3 @voldemortensen
5 years ago

  • Keywords close added

I agree with @swissspidy here. I don't think its a common use case to set a password as a space (or even multiples spaces). And I don't think its a use case that should be supported. I don't think we should go out of our way to support passwords that are that insecure.

#4 @hellofromTonya
2 weeks ago

  • Keywords close removed
  • Owner set to hellofromTonya
  • Status changed from new to assigned

Hello @antonrinas,

Welcome to WordPress Trac! Thank you for reporting this issue.

For JavaScript enabled browsers, this issue was fixed in ticket #42766 with changeset [49118]. This change did the following:

  • the password field is trimmed first
  • if empty, an empty class is added to the field and the Save Password button is not displayed
  • requires JavaScript

What if the browser has JavaScript disabled? The problem still exists.

A possible solution:

  • Trim and then check if pass1 is empty in wp-login.php
  • if yes, generate an error message

This step would return the user back to the password reset page with a reason why their password was not accepted.

Testing now and will submit a patch for consideration.

@hellofromTonya
2 weeks ago

Trims and checks for empty pass1. If present, sets error to alert user and allows user to try again.

@hellofromTonya
2 weeks ago

Checks for a password of one space or all empty spaces. Does not check on first load.

@hellofromTonya
2 weeks ago

Testing of 35500.1.diff patch. Works as expected.

#5 @hellofromTonya
2 weeks ago

  • Keywords has-patch needs-testing has-testing-info added; needs-patch removed
  • Milestone set to 5.9

Testing info

Dependencies

Need a way to capture the password reset email when testing locally. One way is to install and activate the Email Log plugin. This plugin captures email notifications, including the password reset email.

How to get a password reset link and display the Password Reset screen:

  1. Request to reset your password by (a) going to the login page, (b) clicking on "Lost your password?" link, and then adding your username or email.
  2. Get the password reset link from the email by:
    • Open the database. If using Local, click on the Database tab and then click on Open Adminer. It should then open in your browser.
    • Open the wp_email_log database table.
    • Click on Select data.
    • Edit the last record in the table, which opens it up.
    • Copy the link in the message field (likely will need to scroll down to view and then copy it).
  3. Open a different browser and turn off/disable JavaScript.
  4. Copy the reset password link into that browser.

How to reproduce the problem locally

  1. Go to the Password Reset screen (see above).
  2. Type one or more spaces into both password fields.
  3. Click Save Password button. => Notice it let you.
  4. Try to log in with that "space-only" password. => Notice it fails.

How to test the patch

  1. Request another password reset and go to the Password Reset screen (see above).
  2. Type one or more spaces into both password fields.
  3. Click Save Password button.

This time notice an error message is displayed and the Password Reset screen reloads.

This ticket was mentioned in Slack in #core-test by hellofromtonya. View the logs.


2 weeks ago

Note: See TracTickets for help on using tickets.