Add a filter on wp_insert_user function regarding $user_pass

[stokim]

/5.3/src/wp-includes/user.php
function wp_insert_user ( $userdata ) 1542 line
Please apply the below filter so that I can add a rule on user typed password before hashing the password.

$pre_user_password = apply_filters(  'pre_user_password', $user_pass );

Thank you.

Best regards,
Jen

[tomdevisser]

Added the filter

[tomdevisser]

I added the filter and changed the name of the variable to $pre_hash_password as I thought that would be a more descriptive name for a hook.

I would like to know if this goes against any security protocols, as you're giving site and plugin developers access to a non-hashed password of users without permission.

[jorbin]

Thanks for the first pass @tomjdevisser. A few notes

All filters need a doc block ​https://developer.wordpress.org/coding-standards/inline-documentation-standards/php/#4-hooks-actions-and-filters

We also need to make sure that the results of the filter are being used. In this pass, $pre_hash_password is set but then goes nowhere. I think it might also be good to check after that it isn't a falsy value and return a wp_error if that is the case.

I also think this needs to take into account updating users and not just inserting them.

As for the privacy concerns, plugins already have access to this from the global $_POST.

[ilovecats7]

Hello,

I submitted my first patch. Not sure if I'm supposed to modify the ticket?

This PR adds filter on user typed password before hashing the password.
It also includes error check for empty password and a backslash. Unit test included for both.

Trac ticket: 49639

Thanks for the pr @mklute101! We need to fix the PHPCS issues. You should be able to run something like this:

./vendor/bin/phpcbf src/wp-includes/user.php

The PR add a new pre_hash_password filter in wp_insert_user() and wp_update_user() functions, allowing anyone to modify or validate passwords before hashing.