[wp-trac] [WordPress Trac] #42183: wp_update_user() conditional compares a plain-text password to the hashed old
WordPress Trac
noreply at wordpress.org
Wed Oct 11 16:20:06 UTC 2017
#42183: wp_update_user() conditional compares a plain-text password to the hashed
old
------------------------------------+------------------------------
Reporter: yudge | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Users | Version: 4.5.2
Severity: normal | Resolution:
Keywords: has-patch dev-feedback | Focuses: administration
------------------------------------+------------------------------
Comment (by johnjamesjacoby):
Hi @yudge, thanks for your ticket here. Hello @rinkuyadav999, thanks also
for the patch!
I think the most-correct approach is to use `wp_check_password()` instead
of loading the hasher directly. That function includes considerations for
backwards compatibility issues, which are especially useful during this
password change workflow.
Unfortunately, `wp_insert_user()` also still expects the
`$userdata['user_pass']` to be hashed already, so we'll need to use both
functions back to back to maintain backwards compatibility through-out the
rest of the system.
I'll attach a next-pass patch imminently for deeper scrutiny.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42183#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list