#61703 closed defect (bug) (fixed)
the_password_form hook documentation incorrectly references 20char password limit
Reported by: | dd32 | Owned by: | SergeyBiryukov |
---|---|---|---|
Milestone: | 6.7 | Priority: | normal |
Severity: | normal | Version: | 4.7 |
Component: | Posts, Post Types | Keywords: | has-patch commit |
Focuses: | docs | Cc: |
Description (last modified by )
The documentation for the 'the_password_form' hook currently reminds developers that the database schema limits the password to 20 characters in length.
However, starting in WordPress 3.6 the password is no longer stored as plaintext, and instead as a hash, which removes the length limitation of the password.
However, in WordPress 4.7 the column was increased in length to 255char.
I'd suggest that the reminder can just be removed.
Props @davidhbrown for noticing this.
Attachments (1)
Change History (19)
This ticket was mentioned in PR #7062 on WordPress/wordpress-develop by @debarghyabanerjee.
6 months ago
#1
- Keywords has-patch added
@mukesh27 commented on PR #7062:
6 months ago
#2
Thanks @Debarghya-Banerjee, PR LGTM!
#5
@
6 months ago
@dd32, I'm not seeing this change. The post password appears to be stored in plain text still. Is it possible there was some confusion with user passwords?
The field has been changed to a varchar(255) so the docs will need an update.
#7
in reply to:
↑ 6
@
6 months ago
Replying to peterwilsoncc:
I'm not seeing this change. The post password appears to be stored in plain text still. Is it possible there was some confusion with user passwords?
That's what I found too (hence didn't commit the current patch). When testing on trunk, post passwords are indeed stored in plain text.
Replying to dd32:
The change wasn't to store post_password in a hashed form, but rather to cease storing it in the access cookie in plaintext and instead store a hash there.. #19797 #3316
That sounds right :)
#9
@
6 months ago
As a path forward I think the following needs to change:
- docs: retain as is but update the maximum length note to
255
characters - field: update size attribute to 255
- upstream in GB repo: modify the field so it only allows a maximum of 255 characters.
At present it's possible to set a password in the admin that can't be entered in the front end UI, thus the suggested change to the field.
#10
follow-up:
↓ 11
@
6 months ago
For the editor side changes:
@debarghyabanerjee do your have time to update your PR with the details in the comment above? It's no problem if the answer is no, someone else will be able to pick it up.
#11
in reply to:
↑ 10
@
6 months ago
Replying to peterwilsoncc:
For the editor side changes:
@debarghyabanerjee do your have time to update your PR with the details in the comment above? It's no problem if the answer is no, someone else will be able to pick it up.
HI @peterwilsoncc , sure I will update it and push the changes.
@debarghyabanerjee commented on PR #7062:
6 months ago
#12
Hi @peterwilsoncc, I have made the necessary changes, can you please check once. Sorry for the delay.
#13
@
6 months ago
I've finally figured out what was actually wrong with the filter's docs.
The docs were confusing the size
attribute with the maxlength
attribute. size
sets the width of display of the input, whereas maxlength
sets the maximum number of characters allowed in the field.
This makes my advice yesterday incorrect, sorry.
Revising my thoughts appropriately:
- the field's
size
attribute should remain unchanged to avoid horizontal scroll in browser windows - the docs should be updated to read: "If modifying the password input, please note that the WordPress database schema limits the password length to 255 characters regardless of the value of any
minlength
ormaxlength
attributes or other validation that may be added to the input."
Having thought about it overnight, I don't think WordPress should limit the length of the input on the front end as entering a 300 character long password is an incorrect password and it would be a bad idea for WordPress to correct that to a possibly correct password.
@debarghyabanerjee commented on PR #7062:
6 months ago
#14
Hi @peterwilsoncc, I have addressed these changes. Can you please take a look into it? Thanks.
#15
@
6 months ago
- Keywords commit added
@SergeyBiryukov The linked pull request looks good to me, are you able to do the commit honours?
@SergeyBiryukov commented on PR #7062:
6 months ago
#17
Thanks for the PR! Merged in r58846.
Trac Ticket: Core-61703
## Problem Statement:
## Solution: