#35500 closed defect (bug) (fixed)
Login page: user can change password on " " but can't log in with new password.
Reported by: | antonrinas | Owned by: | hellofromTonya |
---|---|---|---|
Milestone: | 6.0 | Priority: | lowest |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | has-patch needs-testing |
Focuses: | Cc: |
Description
There is a user:
login: admin
password: admin
role: administrator
STEPS TO REPRODUCE
Click "Lost your password?" on Login page and change it on " " (space character).
Try to login with new password.
EXPECTED RESULT: logging in.
ACTUAL RESULT: "ERROR: The password field is empty."
Attachments (4)
Change History (21)
#1
@
9 years ago
- Keywords needs-patch added
- Priority changed from normal to lowest
- Version 4.4.1 deleted
#3
@
9 years ago
- Keywords close added
I agree with @swissspidy here. I don't think its a common use case to set a password as a space (or even multiples spaces). And I don't think its a use case that should be supported. I don't think we should go out of our way to support passwords that are that insecure.
#4
@
4 years ago
- Keywords close removed
- Owner set to hellofromTonya
- Status changed from new to assigned
Hello @antonrinas,
Welcome to WordPress Trac! Thank you for reporting this issue.
For JavaScript enabled browsers, this issue was fixed in ticket #42766 with changeset [49118]. This change did the following:
- the password field is trimmed first
- if empty, an
empty
class is added to the field and theSave Password
button is not displayed - requires JavaScript
What if the browser has JavaScript disabled? The problem still exists.
A possible solution:
- Trim and then check if
pass1
is empty inwp-login.php
- if yes, generate an error message
This step would return the user back to the password reset page with a reason why their password was not accepted.
Testing now and will submit a patch for consideration.
@
4 years ago
Trims and checks for empty pass1. If present, sets error to alert user and allows user to try again.
#5
@
4 years ago
- Keywords has-patch needs-testing has-testing-info added; needs-patch removed
- Milestone set to 5.9
Testing info
Dependencies
Need a way to capture the password reset email when testing locally. One way is to install and activate the Email Log plugin. This plugin captures email notifications, including the password reset email.
How to get a password reset link and display the Password Reset screen:
- Request to reset your password by (a) going to the login page, (b) clicking on "Lost your password?" link, and then adding your username or email.
- Get the password reset link from the email by:
- Open the database. If using Local, click on the
Database
tab and then click onOpen Adminer
. It should then open in your browser. - Open the
wp_email_log
database table. - Click on
Select data
. - Edit the last record in the table, which opens it up.
- Copy the link in the
message
field (likely will need to scroll down to view and then copy it).
- Open the database. If using Local, click on the
- Open a different browser and turn off/disable JavaScript.
- Copy the reset password link into that browser.
How to reproduce the problem locally
- Go to the Password Reset screen (see above).
- Type one or more spaces into both password fields.
- Click
Save Password
button. => Notice it let you. - Try to log in with that "space-only" password. => Notice it fails.
How to test the patch
- Request another password reset and go to the Password Reset screen (see above).
- Type one or more spaces into both password fields.
- Click
Save Password
button.
This time notice an error message is displayed and the Password Reset screen reloads.
This ticket was mentioned in Slack in #core-test by hellofromtonya. View the logs.
4 years ago
This ticket was mentioned in Slack in #core by costdev. View the logs.
3 years ago
#10
@
3 years ago
- Keywords commit added; needs-testing removed
Test Report
Environment
- Server: nginx - Local by Flywheel
- WordPress: 5.9.2
- Browser: Chrome 99.0.4844.84
- OS: Windows 10
- Theme: Twenty Twenty-Two
- Plugins:
- Email Log 2.4.8
Steps
- Go to the Password Reset screen.
- Type one or more spaces into both password fields.
- Click
Save Password
button. => Notice it let you. ✅ - Try to log in with that "space-only" password. => Notice it fails. ✅
- Apply patch 35500.1.diff.
- Request another password reset and go to the Password Reset screen.
- Type one or more spaces into both password fields.
- Click
Save Password
button. - This time notice an error message is displayed and the Password Reset screen reloads. ✅
Results
- Issue reproduced.
- Patch 35500.1.diff resolves the issue.
- Removing
needs-testing
. - Adding
commit
for consideration.
#11
@
3 years ago
- Keywords needs-refresh needs-testing added; has-testing-info commit removed
Doing some branch testing with JavaScript disabled.
Entering space
(please note the leading space) in both the password and confirmation fields results in the error message "Error: The passwords do not match."
This is because the password field, pass1
, is trimmed but the confirmation field, pass2
, is not. If WordPress must preprocess password fields, then the confirmation field will need to be preprocessed too.
@
3 years ago
Patch refreshed after testing by @peterwilsoncc. Compares $_POST['pass1']
to trim( $_POST['pass2'] )
.
#12
@
3 years ago
- Keywords needs-refresh removed
Just added patch 35500.2.diff, which tests well for me using " space" (note the leading space) in both the password and confirmation field.
#13
follow-up:
↓ 15
@
3 years ago
- Resolution set to fixed
- Status changed from assigned to closed
In 53067:
#15
in reply to:
↑ 13
;
follow-up:
↓ 16
@
3 years ago
Replying to peterwilsoncc:
In 53067:
I wonder to know if we can just put this both "if" statement together... Any objection?
#16
in reply to:
↑ 15
;
follow-up:
↓ 17
@
3 years ago
Replying to azouamauriac:
I wonder to know if we can just put this both "if" statement together... Any objection?
The first if statement makes changes to the password variable that are used in the second statement. I considered asking for them to be combined but decided the code would be clearer keeping them separate.
#17
in reply to:
↑ 16
@
3 years ago
Replying to peterwilsoncc:
Replying to azouamauriac:
I wonder to know if we can just put this both "if" statement together... Any objection?
The first if statement makes changes to the password variable that are used in the second statement. I considered asking for them to be combined but decided the code would be clearer keeping them separate.
I'm still thinking these statements can be merged without make the code unreadable. Anyway let's move up.
thank you.
Simply not using
trim()
on the password inwp_authenticate()
results in aincorrect_password
error instead ofempty_password
. So that's only half of the deal.I consider using
, I think the downsides outweigh the benefits.
trim()
very helpful, e.g. when users accidentally hit space when typing in their password. Since someone rarely if ever changes their password to