[wp-trac] [WordPress Trac] #24367: Admin login with correct password fails
WordPress Trac
noreply at wordpress.org
Mon May 27 03:02:19 UTC 2013
#24367: Admin login with correct password fails
----------------------------+--------------------
Reporter: sergej.mueller | Owner:
Type: defect (bug) | Status: new
Priority: high | Milestone: 3.6
Component: Administration | Version: trunk
Severity: blocker | Resolution:
Keywords: has-patch |
----------------------------+--------------------
Changes (by SergeyBiryukov):
* milestone: Awaiting Review => 3.6
Comment:
Somehow I missed that `edit_user()` actually sets the user's password from
`$_POST['pass1']`, not just checks it.
Before [23634], we used to store a hash of the slashed password. We also
passed the slashed password to `check_passwords` and
`user_profile_update_errors` actions.
Now we store a hash of the unslashed password. We could add `wp_unslash()`
to `wp_signon()`, as suggested in [attachment:24367.patch]
([attachment:24367.2.patch] also removes an obsolete `stripslashes()` call
from `edit_user()`). However, that would break passwords with slashes
created prior to [23634].
Looks like we need to continue to use slashed passwords internally.
[attachment:24367.3.patch] is a partial revert of [23634]. It just fixes
the password in the notification email, as originally suggested in #17018.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24367#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list