[wp-trac] [WordPress Trac] #24367: Admin login with correct password fails

WordPress Trac noreply at wordpress.org
Mon May 27 03:02:19 UTC 2013


#24367: Admin login with correct password fails
----------------------------+--------------------
 Reporter:  sergej.mueller  |       Owner:
     Type:  defect (bug)    |      Status:  new
 Priority:  high            |   Milestone:  3.6
Component:  Administration  |     Version:  trunk
 Severity:  blocker         |  Resolution:
 Keywords:  has-patch       |
----------------------------+--------------------
Changes (by SergeyBiryukov):

 * milestone:  Awaiting Review => 3.6


Comment:

 Somehow I missed that `edit_user()` actually sets the user's password from
 `$_POST['pass1']`, not just checks it.

 Before [23634], we used to store a hash of the slashed password. We also
 passed the slashed password to `check_passwords` and
 `user_profile_update_errors` actions.

 Now we store a hash of the unslashed password. We could add `wp_unslash()`
 to `wp_signon()`, as suggested in [attachment:24367.patch]
 ([attachment:24367.2.patch] also removes an obsolete `stripslashes()` call
 from `edit_user()`). However, that would break passwords with slashes
 created prior to [23634].

 Looks like we need to continue to use slashed passwords internally.
 [attachment:24367.3.patch] is a partial revert of [23634]. It just fixes
 the password in the notification email, as originally suggested in #17018.

--
Ticket URL: <http://core.trac.wordpress.org/ticket/24367#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list