[wp-trac] [WordPress Trac] #17145: Entities in protected post passwords cause password mismatch

WordPress Trac wp-trac at lists.automattic.com
Fri Apr 15 18:09:26 UTC 2011


#17145: Entities in protected post passwords cause password mismatch
--------------------------+-----------------------------
 Reporter:  dllh          |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Validation    |    Version:
 Severity:  normal        |   Keywords:
--------------------------+-----------------------------
 Repro:

 1. Make a new post.
 2. Give it a password with quotes or other entities in it (e.g.
 "here'quote")
 3. With cookies cleared and as a non-admin user, supply the correct
 password to view the post.

 Expected Result: Rainbows, unicorns, access to the secrets of life via the
 newly unlocked post.

 Actual Result: The password doesn't match. This is because setcookie()
 automatically urlencodes the cookie value. So the sample password above
 winds up causing "here%27quote" to be compared to "here'quote" and there's
 a mismatch.

 The attached patch corrects the issue. Another approach would be to limit
 input on the front end. The attached post is a simpler solution less
 constraining on the user.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/17145>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list