[wp-trac] [WordPress Trac] #17145: Entities in protected post passwords cause password mismatch
WordPress Trac
wp-trac at lists.automattic.com
Fri Apr 15 18:09:26 UTC 2011
#17145: Entities in protected post passwords cause password mismatch
--------------------------+-----------------------------
Reporter: dllh | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Validation | Version:
Severity: normal | Keywords:
--------------------------+-----------------------------
Repro:
1. Make a new post.
2. Give it a password with quotes or other entities in it (e.g.
"here'quote")
3. With cookies cleared and as a non-admin user, supply the correct
password to view the post.
Expected Result: Rainbows, unicorns, access to the secrets of life via the
newly unlocked post.
Actual Result: The password doesn't match. This is because setcookie()
automatically urlencodes the cookie value. So the sample password above
winds up causing "here%27quote" to be compared to "here'quote" and there's
a mismatch.
The attached patch corrects the issue. Another approach would be to limit
input on the front end. The attached post is a simpler solution less
constraining on the user.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/17145>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list