[wp-trac] [WordPress Trac] #42183: wp_update_user() conditional compares a plain-text password to the hashed old

WordPress Trac noreply at wordpress.org
Wed Oct 11 16:20:06 UTC 2017


#42183: wp_update_user() conditional compares a plain-text password to the hashed
old
------------------------------------+------------------------------
 Reporter:  yudge                   |       Owner:
     Type:  defect (bug)            |      Status:  new
 Priority:  normal                  |   Milestone:  Awaiting Review
Component:  Users                   |     Version:  4.5.2
 Severity:  normal                  |  Resolution:
 Keywords:  has-patch dev-feedback  |     Focuses:  administration
------------------------------------+------------------------------

Comment (by johnjamesjacoby):

 Hi @yudge, thanks for your ticket here. Hello @rinkuyadav999, thanks also
 for the patch!

 I think the most-correct approach is to use `wp_check_password()` instead
 of loading the hasher directly. That function includes considerations for
 backwards compatibility issues, which are especially useful during this
 password change workflow.

 Unfortunately, `wp_insert_user()` also still expects the
 `$userdata['user_pass']` to be hashed already, so we'll need to use both
 functions back to back to maintain backwards compatibility through-out the
 rest of the system.

 I'll attach a next-pass patch imminently for deeper scrutiny.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/42183#comment:2>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list