[wp-trac] [WordPress Trac] #45100: White space passwords
WordPress Trac
noreply at wordpress.org
Wed Oct 17 02:25:24 UTC 2018
#45100: White space passwords
------------------------------------+-----------------------------
Reporter: 3Lancer | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version:
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
Wordpress file: wp-includes/user.php > function wp_signon()
Allows white space characters in the password upon account creations, yet
trims them on logging in. This causes an issue if only using white spaces
as the entirely password or using them as a buffer to shorten password
lengths below the set allowed minimum length.
{{{#!php
<?php
$creds = array();
$creds['user_login'] = 'example';
$creds['user_password'] = ' ';
$creds['remember'] = true;
$user = wp_signon( $creds, false );
if ( is_wp_error($user) ) {
$this->errors[] = $user->get_error_message();
}
}}}
Password: " " (8 white space characters or more)
- Fails to allow any logging into that account and instead returns “ERROR:
The password field is empty.”
Password: " 1" (7 white space characters and a single letter or
number)
- Lets users bypass the minimum password length and just login with '1'
--
Ticket URL: <https://core.trac.wordpress.org/ticket/45100>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list