WordPress.org

Make WordPress Core

Opened 12 days ago

Closed 4 days ago

Last modified 3 days ago

#49392 closed defect (bug) (invalid)

wp_check_password is broken and give result false if there is ampersand (&) character on password

Reported by: nariyanto Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Users Keywords:
Focuses: Cc:

Description

While testing change password method that uses wp_check_password where I was passing in a correct current password and password combination. Here are the steps to replicate this issues:

  1. Now try to change the newest password to k)176p*nFXA8Qk&@mb6cI8(b
  2. try to check password using wp_check_password() method, with current password contain ampersand (&) character.
  3. Observe

Change History (5)

#1 @SergeyBiryukov
12 days ago

  • Component changed from General to Users

#2 @bookdude13
11 days ago

  • Keywords reporter-feedback added

@nariyanto Thanks for the ticket!

I am unable to reproduce this when changing a different user's password, changing my own, or doing a password reset for me. I am able to set it to your provided password and login with it just fine.

How were you testing when you saw this behavior? Was this a unit test or something similar?

#3 @nariyanto
4 days ago

  • Resolution set to invalid
  • Status changed from new to closed

Hi @bookdude13 ,

Thanks for the reply and investigation. I test and debug on our plugins and have double check it. I found that & character is converted to & before wp_check_password() function called.

Now the issue is solved, you may closed this ticket.

Regards,
Septiyan

#4 @JaworskiMatt
4 days ago

If someone runs into a similar problem while developing a plugin. Our issue was because of the default escaping of $_POST arguments - we needed an exception made for the password, so we could hash it properly.

#5 @desrosj
3 days ago

  • Keywords reporter-feedback removed
  • Milestone Awaiting Review deleted
  • Version 5.3.2 deleted
Note: See TracTickets for help on using tickets.