[wp-trac] [WordPress Trac] #56787: Recovery mode tokens can't be validated successfully if pluggable function wp_check_password is overwritten.
WordPress Trac
noreply at wordpress.org
Tue Oct 11 12:38:57 UTC 2022
#56787: Recovery mode tokens can't be validated successfully if pluggable function
wp_check_password is overwritten.
------------------------------------+-----------------------------
Reporter: calvinalkan | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 6.0.2
Severity: normal | Keywords:
Focuses: |
------------------------------------+-----------------------------
WordPress allows users to override the wp_hash_password and
wp_check_password functions with alternative implementations.
How passwords are hashes is an implementation detail. Call sites must not
make assumptions about how they are implemented.
WordPress [generates recovery mode tokens using PHPass's PasswordHash
class](https://github.com/WordPress/WordPress/blob/c03305852e7e40e61cad5798eba9ebc3b961e27a
/wp-includes/class-wp-recovery-mode-key-service.php#L57).
To validate recovery tokens, `wp_check_password` [is
used](https://github.com/WordPress/WordPress/blob/c03305852e7e40e61cad5798eba9ebc3b961e27a
/wp-includes/class-wp-recovery-mode-key-service.php#L109).
This is a bug. Any implementation of `wp_check_password` that doesn't use
PHPass will cause the recovery tokens to be always invalid.
There are two possibilities:
- Either use PasswordHash::HashPassword() + PasswordHash::CheckPassword()
or
- Use wp_hash_password and wp_check_password
Mixing the two violates the Liskov substitution principle (if we consider
pluggable functions as the WordPress version of interfaces).
In all other places in Core, this principle is respected. It looks like
recovery tokens slipped through.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/56787>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list