[wp-trac] [WordPress Trac] #24973: Impossible to login with passwords that contain trailing or leading spaces
WordPress Trac
noreply at wordpress.org
Tue Aug 6 19:55:25 UTC 2013
#24973: Impossible to login with passwords that contain trailing or leading spaces
--------------------------+-----------------------------
Reporter: rpattillo | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 3.6
Severity: normal | Keywords:
--------------------------+-----------------------------
It is possible to set a user's password to a string that includes leading
or trailing spaces. The spaces will be hashed with the password as it is
saved. During login attempts, the spaces will be trimmed before hashing,
making it impossible to log in again.
To reproduce:
1] Log in.
2] Navigate to /wp-admin/profile.php to edit your profile.
3] In the new password and confirmation fields, enter any password
followed by trailing spaces.
4] Logout
5] Try to log in using the new password with trailing spaces and without.
What is expected:
The password without trailing spaces should work. This would be in line
with what happens if the password is changed via the lost password system,
and the new password has trailing or leading spaces.
What actually happens:
Neither the password without trailing spaces nor the password with the
same trailing spaces will work. It will be impossible for the user to
login until the password is reset again.
This is similar to ticket #23494. The resolution there was to trim the
password in wp_set_password() before passing it to wp_hash_password().
However not all methods of changing the password go through
wp_set_password().
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24973>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list