[wp-trac] [WordPress Trac] #27740: Passwords consisting of spaces are valid at install time

WordPress Trac noreply at wordpress.org
Sat Jun 7 10:40:51 UTC 2014

#27740: Passwords consisting of spaces are valid at install time
 Reporter:  nfreader         |       Owner:
     Type:  defect (bug)     |      Status:  new
 Priority:  normal           |   Milestone:  Awaiting Review
Component:  Upgrade/Install  |     Version:  3.8.2
 Severity:  normal           |  Resolution:
 Keywords:                   |     Focuses:

Comment (by izem):

 [this is my first time trying to contribute to WordPress, hope I'm doing
 it right]

 I've reproduced this on version 4.0-alpha-28611-src

 The whitespace-only password is passed as-is from wp-admin/install.php to
 wp_install function at wp-admin/includes/upgrade.php, there a trim
 function is used that make it an empty string. If password is empty,
 wp_generate_password function is called to generate a random password for
 the user (in according to: "A password will be automatically generated for
 you if you leave this blank.").
 Thing is, user didn't leave the password blank and might expect it to be
 the whitespace-only password he entered and not a random password that
 will be emailed to him later.

 To avoid this we can add another poka-yoke at wp-admin/install.php
 I've made a patch that check if admin_password isn't empty, but becomes
 empty if trim() is used on it.

Ticket URL: <https://core.trac.wordpress.org/ticket/27740#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list