Make WordPress Core

Opened 6 months ago

Closed 6 months ago

Last modified 6 months ago

#61703 closed defect (bug) (fixed)

the_password_form hook documentation incorrectly references 20char password limit

Reported by: dd32's profile dd32 Owned by: sergeybiryukov's profile SergeyBiryukov
Milestone: 6.7 Priority: normal
Severity: normal Version: 4.7
Component: Posts, Post Types Keywords: has-patch commit
Focuses: docs Cc:

Description (last modified by dd32)

The documentation for the 'the_password_form' hook currently reminds developers that the database schema limits the password to 20 characters in length.

https://github.com/WordPress/wordpress-develop/blob/5a30482419f1b0bcc713a7fdee3a14afd67a1bca/src/wp-includes/post-template.php#L1780-L1782

However, starting in WordPress 3.6 the password is no longer stored as plaintext, and instead as a hash, which removes the length limitation of the password.
However, in WordPress 4.7 the column was increased in length to 255char.

I'd suggest that the reminder can just be removed.

Props @davidhbrown for noticing this.

Attachments (1)

Screenshot 2024-08-01 at 10.37.47 AM.png (13.8 KB) - added by peterwilsoncc 6 months ago.

Download all attachments as: .zip

Change History (19)

This ticket was mentioned in PR #7062 on WordPress/wordpress-develop by @debarghyabanerjee.


6 months ago
#1

  • Keywords has-patch added

Trac Ticket: Core-61703

## Problem Statement:

  • Beginning with WordPress 3.6, passwords are no longer stored as plaintext but instead as hashed values. This change eliminates the previous length limitation imposed by plaintext passwords.

## Solution:

  • Removed the comment that had the 20 chars reference from the Doc Block comment.

@mukesh27 commented on PR #7062:


6 months ago
#2

Thanks @Debarghya-Banerjee, PR LGTM!

#3 @mukesh27
6 months ago

  • Keywords commit added
  • Milestone changed from Awaiting Review to 6.7

#4 @SergeyBiryukov
6 months ago

  • Owner set to SergeyBiryukov
  • Status changed from new to reviewing

#5 @peterwilsoncc
6 months ago

@dd32, I'm not seeing this change. The post password appears to be stored in plain text still. Is it possible there was some confusion with user passwords?

The field has been changed to a varchar(255) so the docs will need an update.

#6 follow-up: @dd32
6 months ago

  • Description modified (diff)
  • Version set to 4.7

@peterwilsoncc Uhh, So... I've misrecalled how it works :D

The change wasn't to store post_password in a hashed form, but rather to cease storing it in the access cookie in plaintext and instead store a hash there.. #19797 #3316

Column increased in length via #881 / [38590]

#7 in reply to: ↑ 6 @SergeyBiryukov
6 months ago

Replying to peterwilsoncc:

I'm not seeing this change. The post password appears to be stored in plain text still. Is it possible there was some confusion with user passwords?

That's what I found too (hence didn't commit the current patch). When testing on trunk, post passwords are indeed stored in plain text.

Replying to dd32:

The change wasn't to store post_password in a hashed form, but rather to cease storing it in the access cookie in plaintext and instead store a hash there.. #19797 #3316

That sounds right :)

#8 @SergeyBiryukov
6 months ago

  • Keywords commit removed

#9 @peterwilsoncc
6 months ago

As a path forward I think the following needs to change:

  • docs: retain as is but update the maximum length note to 255 characters
  • field: update size attribute to 255
  • upstream in GB repo: modify the field so it only allows a maximum of 255 characters.

At present it's possible to set a password in the admin that can't be entered in the front end UI, thus the suggested change to the field.

#10 follow-up: @peterwilsoncc
6 months ago

For the editor side changes:


@debarghyabanerjee do your have time to update your PR with the details in the comment above? It's no problem if the answer is no, someone else will be able to pick it up.

#11 in reply to: ↑ 10 @debarghyabanerjee
6 months ago

Replying to peterwilsoncc:

For the editor side changes:


@debarghyabanerjee do your have time to update your PR with the details in the comment above? It's no problem if the answer is no, someone else will be able to pick it up.

HI @peterwilsoncc , sure I will update it and push the changes.

@debarghyabanerjee commented on PR #7062:


6 months ago
#12

Hi @peterwilsoncc, I have made the necessary changes, can you please check once. Sorry for the delay.

#13 @peterwilsoncc
6 months ago

I've finally figured out what was actually wrong with the filter's docs.

The docs were confusing the size attribute with the maxlength attribute. size sets the width of display of the input, whereas maxlength sets the maximum number of characters allowed in the field.

This makes my advice yesterday incorrect, sorry.

Revising my thoughts appropriately:

  • the field's size attribute should remain unchanged to avoid horizontal scroll in browser windows
  • the docs should be updated to read: "If modifying the password input, please note that the WordPress database schema limits the password length to 255 characters regardless of the value of any minlength or maxlength attributes or other validation that may be added to the input."

Having thought about it overnight, I don't think WordPress should limit the length of the input on the front end as entering a 300 character long password is an incorrect password and it would be a bad idea for WordPress to correct that to a possibly correct password.

@debarghyabanerjee commented on PR #7062:


6 months ago
#14

Hi @peterwilsoncc, I have addressed these changes. Can you please take a look into it? Thanks.

#15 @peterwilsoncc
6 months ago

  • Keywords commit added

@SergeyBiryukov The linked pull request looks good to me, are you able to do the commit honours?

#16 @SergeyBiryukov
6 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 58846:

Docs: Correct documentation for the_password_form hook.

This replaces an outdated note about the 20 characters limit on the password field in the WordPress database schema.

The post_password column was increased to 255 characters in WordPress 4.7.

Follow-up to [27676], [38590].

Props debarghyabanerjee, peterwilsoncc, dd32, mukesh27.
Fixes #61703.

@SergeyBiryukov commented on PR #7062:


6 months ago
#17

Thanks for the PR! Merged in r58846.

#18 @SergeyBiryukov
6 months ago

Looks like I missed the props for @davidhbrown here. Sorry for that! I have updated the props list for [58846] in the Core Props tool on make/core to correct that.

Note: See TracTickets for help on using tickets.