[wp-trac] [WordPress Trac] #44628: Repair DB rehashes password to md5
WordPress Trac
noreply at wordpress.org
Mon Jul 23 17:42:29 UTC 2018
#44628: Repair DB rehashes password to md5
--------------------------+------------------------------
Reporter: yani.iliev | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Database | Version: trunk
Severity: normal | Resolution:
Keywords: | Focuses:
--------------------------+------------------------------
Comment (by yani.iliev):
The code that rehashes the password is in
https://core.trac.wordpress.org/browser/trunk/src/wp-
admin/includes/upgrade.php?annotate=blame#L889
**upgrade_110** is used to convert plaintext passwords to md5, however,
the hash has changed in the most recent versions of WordPress and the
regex needs updating.
**wp_check_password** uses
{{{#!php
<?php
if ( strlen($hash) <= 32 ) {
}}}
to check if the hash is md5 but ideally it should be === because md5 is
always 32 characters.
https://core.trac.wordpress.org/browser/tags/4.9.7/src/wp-
includes/pluggable.php#L2237
if password length < 32 hash password with md5
if password length === 32 check if the string has all valid md5 characters
if the password has valid md5 characters, assume it is md5 checksum
else assume it is not hashed and md5 hash it
if the password is > 32 characters do not hash it.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44628#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list