[wp-trac] [WordPress Trac] #31647: zxcvbn.js is old
WordPress Trac
noreply at wordpress.org
Wed May 31 16:06:20 UTC 2017
#31647: zxcvbn.js is old
--------------------------------+-------------------------
Reporter: muranyia | Owner: pento
Type: enhancement | Status: closed
Priority: normal | Milestone: 4.8
Component: External Libraries | Version:
Severity: normal | Resolution: fixed
Keywords: | Focuses: javascript
--------------------------------+-------------------------
Comment (by jrchamp):
@Otto42 Technically, the lists are not converted back to normal before
use. They are only converted during use of the zxcvbn() function and
stored in a temporary variable (meaning that the conversion must happen
for each call to this function). The dictionary lists themselves are never
modified, which is why matching.dictionary_match() is modified to ROT13
the password being checked so that the ROT13 substrings may be used
against the dictionary lists directly (and the matching substring must
then be re-ROT13'd to return the raw matching value). As long as no other
code/functions directly access the dictionary lists, it should work fine,
but this seems like a somewhat fragile assumption unless careful
evaluation is done during each upgrade.
To answer my own question, the adjacency_graphs/spatial_match checks
operate on the original user supplied password and do not appear to
interact with the dictionaries directly. The main.coffee's misleading
variable name "user_inputs" is not related to user input, but rather an
optional dictionary list override.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/31647#comment:13>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list