[wp-trac] Re: [WordPress Trac] #3316: Protected post password is
plain text in cookie
WordPress Trac
wp-trac at lists.automattic.com
Tue Jan 27 22:08:21 GMT 2009
#3316: Protected post password is plain text in cookie
--------------------------+-------------------------------------------------
Reporter: dosa | Owner: anonymous
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 2.8
Component: Security | Version: 2.1
Severity: normal | Resolution:
Keywords: |
--------------------------+-------------------------------------------------
Changes (by Viper007Bond):
* priority: high => normal
* severity: major => normal
Comment:
When this ticket was originally opened, it would have been a nightmare to
patch as the cookie was checked in the theme itself:
{{{
if (!empty($post->post_password)) { // if there's a password
if ($_COOKIE['wp-postpass_' . COOKIEHASH] !=
$post->post_password) { // and it doesn't match the cookie
?>
<p class="nocomments">This post is password
protected. Enter the password to view comments.</p>
<?php
return;
}
}
}}}
Now however we have the `post_password_required()` function which handles
the cookie checking and could be updated to check against a hashed cookie.
The problem is that relatively few themes have probably updated to make
use of that function. They are all likely still using the old direct check
code. That means that '''all pre-WP 2.7 themes would have to be updated or
would otherwise break'''. This is kinda unacceptable for such a relatively
minor security improvement.
Recommend reclosing as wontfix.
--
Ticket URL: <http://trac.wordpress.org/ticket/3316#comment:7>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list