[wp-trac] [WordPress Trac] #13654: Install should NOT use stripslashes on admin password
WordPress Trac
wp-trac at lists.automattic.com
Mon May 31 10:06:23 UTC 2010
#13654: Install should NOT use stripslashes on admin password
-----------------------------+----------------------------------------------
Reporter: johanee | Owner: dd32
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Upgrade/Install | Version: 3.0
Severity: normal | Keywords:
-----------------------------+----------------------------------------------
If you use ', ", \ in the administration password when doing a new install
you will not be able to log in.
This is because the new 3.0 install uses stripslashes() on the
administator password.
This would normally be the right thing to do, but unfortunately no other
part of the WordPress password handling does so. Login tests against
unescaped strings, new user creation and user edit uses the same.
This is unfortunate, but as all WordPress users ever created have \", \',
\\ in their hashed passwords (depending on server configuration I guess)
it is probably too painful to change.
Therefore wp-admin/install.php should be changed to not use
stripslashes().
--
Ticket URL: <http://core.trac.wordpress.org/ticket/13654>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list