Make WordPress Core

Opened 5 years ago

Last modified 3 months ago

#49639 new enhancement

Add a filter on wp_insert_user function regarding $user_pass

Reported by: stokim's profile stokim Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Users Keywords: good-first-bug has-patch 2nd-opinion has-unit-tests
Focuses: Cc:

Description (last modified by SergeyBiryukov)

/5.3/src/wp-includes/user.php
function wp_insert_user ( $userdata ) 1542 line
Please apply the below filter so that I can add a rule on user typed password before hashing the password.

$pre_user_password = apply_filters(  'pre_user_password', $user_pass );

Thank you.

Best regards,
Jen

Attachments (2)

49639.patch (420 bytes) - added by tomjdevisser 4 years ago.
Added the filter
49639-2.diff (2.2 KB) - added by ilovecats7 3 years ago.

Download all attachments as: .zip

Change History (12)

#1 @SergeyBiryukov
5 years ago

  • Component changed from Formatting to Users

#2 @johnbillion
4 years ago

  • Keywords needs-patch good-first-bug added
  • Version 5.4 deleted

@tomjdevisser
4 years ago

Added the filter

#3 @tomjdevisser
4 years ago

  • Focuses privacy added
  • Keywords has-patch dev-feedback 2nd-opinion added; needs-patch good-first-bug removed

I added the filter and changed the name of the variable to $pre_hash_password as I thought that would be a more descriptive name for a hook.

I would like to know if this goes against any security protocols, as you're giving site and plugin developers access to a non-hashed password of users without permission.

Last edited 4 years ago by tomjdevisser (previous) (diff)

This ticket was mentioned in Slack in #core by tomjdevisser. View the logs.


4 years ago

#5 @jorbin
4 years ago

  • Focuses privacy removed
  • Keywords needs-patch added; has-patch removed

Thanks for the first pass @tomjdevisser. A few notes

All filters need a doc block https://developer.wordpress.org/coding-standards/inline-documentation-standards/php/#4-hooks-actions-and-filters

We also need to make sure that the results of the filter are being used. In this pass, $pre_hash_password is set but then goes nowhere. I think it might also be good to check after that it isn't a falsy value and return a wp_error if that is the case.

I also think this needs to take into account updating users and not just inserting them.

As for the privacy concerns, plugins already have access to this from the global $_POST.

#6 @SergeyBiryukov
4 years ago

  • Description modified (diff)

#7 @johnbillion
3 years ago

  • Keywords good-first-bug added; dev-feedback 2nd-opinion removed

@ilovecats7
3 years ago

#8 @ilovecats7
3 years ago

  • Keywords has-patch 2nd-opinion added; needs-patch removed

Hello,

I submitted my first patch. Not sure if I'm supposed to modify the ticket?

This ticket was mentioned in PR #7384 on WordPress/wordpress-develop by @mklute101.


3 months ago
#9

  • Keywords has-unit-tests added

This PR adds filter on user typed password before hashing the password.
It also includes error check for empty password and a backslash. Unit test included for both.

Trac ticket: 49639

@TimothyBlynJacobs commented on PR #7384:


3 months ago
#10

Thanks for the pr @mklute101! We need to fix the PHPCS issues. You should be able to run something like this:

./vendor/bin/phpcbf src/wp-includes/user.php
Note: See TracTickets for help on using tickets.