WordPress.org

Make WordPress Core

Opened 15 months ago

Last modified 7 months ago

#44628 new defect (bug)

Repair DB rehashes password to md5

Reported by: yani.iliev Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Upgrade/Install Keywords: has-patch needs-testing
Focuses: Cc:
PR Number:

Description

How to replicate:

Corrupt the database:

truncate $wpdb->options;
insert into $wpdb->options (option_name, option_value) values('siteurl', 'http://localhost');

Navigate to http://localhost/ and repair the database.

Observe user_pass for all users in $wpdb->users it is now md5 hash.

Attachments (1)

44628.diff (1.0 KB) - added by jbcomte35 7 months ago.
Diff file

Download all attachments as: .zip

Change History (6)

#1 @yani.iliev
15 months ago

The code that rehashes the password is in https://core.trac.wordpress.org/browser/trunk/src/wp-admin/includes/upgrade.php?annotate=blame#L889

upgrade_110 is used to convert plaintext passwords to md5, however, the hash has changed in the most recent versions of WordPress and the regex needs updating.
wp_check_password uses

<?php
if ( strlen($hash) <= 32 ) {

to check if the hash is md5 but ideally it should be === because md5 is always 32 characters.
https://core.trac.wordpress.org/browser/tags/4.9.7/src/wp-includes/pluggable.php#L2237

if password length < 32 hash password with md5

if password length === 32 check if the string has all valid md5 characters

if the password has valid md5 characters, assume it is md5 checksum

else assume it is not hashed and md5 hash it

if the password is > 32 characters do not hash it.

#2 @pento
9 months ago

  • Component changed from Database to Upgrade/Install
  • Keywords needs-patch added
  • Milestone changed from Awaiting Review to Future Release
  • Version trunk deleted

#3 @jbcomte35
7 months ago

I'm on it, i'll push a .diff file within few days

Last edited 7 months ago by jbcomte35 (previous) (diff)

@jbcomte35
7 months ago

Diff file

#4 @jbcomte35
7 months ago

  • Keywords has-patch added; needs-patch removed

#5 @jbcomte35
7 months ago

  • Keywords needs-testing added
Note: See TracTickets for help on using tickets.