Make WordPress Core

Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#49392 closed defect (bug) (invalid)

wp_check_password is broken and give result false if there is ampersand (&) character on password

Reported by: nariyanto's profile nariyanto Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Users Keywords:
Focuses: Cc:


While testing change password method that uses wp_check_password where I was passing in a correct current password and password combination. Here are the steps to replicate this issues:

  1. Now try to change the newest password to k)176p*nFXA8Qk&@mb6cI8(b
  2. try to check password using wp_check_password() method, with current password contain ampersand (&) character.
  3. Observe

Change History (5)

#1 @SergeyBiryukov
4 years ago

  • Component changed from General to Users

#2 @bookdude13
4 years ago

  • Keywords reporter-feedback added

@nariyanto Thanks for the ticket!

I am unable to reproduce this when changing a different user's password, changing my own, or doing a password reset for me. I am able to set it to your provided password and login with it just fine.

How were you testing when you saw this behavior? Was this a unit test or something similar?

#3 @nariyanto
4 years ago

  • Resolution set to invalid
  • Status changed from new to closed

Hi @bookdude13 ,

Thanks for the reply and investigation. I test and debug on our plugins and have double check it. I found that & character is converted to & before wp_check_password() function called.

Now the issue is solved, you may closed this ticket.


#4 @JaworskiMatt
4 years ago

If someone runs into a similar problem while developing a plugin. Our issue was because of the default escaping of $_POST arguments - we needed an exception made for the password, so we could hash it properly.

#5 @desrosj
4 years ago

  • Keywords reporter-feedback removed
  • Milestone Awaiting Review deleted
  • Version 5.3.2 deleted
Note: See TracTickets for help on using tickets.