From 733682b8fd1b6ba890dc2138532e0bce23d7b15c Mon Sep 17 00:00:00 2001 From: mklute101 Date: Tue, 17 Sep 2024 10:43:39 -0700 Subject: [PATCH 1/8] commiting track version --- src/wp-includes/user.php | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php index c234c495dfe3d..c0821b5c3be9c 100644 --- a/src/wp-includes/user.php +++ b/src/wp-includes/user.php @@ -2136,8 +2136,26 @@ function wp_insert_user( $userdata ) { $user_pass = ! empty( $userdata['user_pass'] ) ? $userdata['user_pass'] : $old_user_data->user_pass; } else { $update = false; + + /** + * Filters a password before hashing it. + * + * @since 5.7.3 + * + * @param string $userdata['user_pass'] The user's password. + */ + $pre_hash_password = apply_filters( 'pre_hash_password', $userdata['user_pass'] ); + + if ( empty( $pre_hash_password ) ) { + return new WP_Error( 'empty_pre_hash_password', __( 'Cannot create a user with an empty password.' ) ); + } + + if ( false !== strpos( $pre_hash_password, '\\' ) ) { + return new WP_Error( 'illegal_pre_hash_password', __( 'Passwords may not contain the character "\\".' ) ); + } + // Hash the password. - $user_pass = wp_hash_password( $userdata['user_pass'] ); + $user_pass = wp_hash_password( $pre_hash_password ); } $sanitized_user_login = sanitize_user( $userdata['user_login'], true ); @@ -2591,9 +2609,21 @@ function wp_update_user( $userdata ) { $user = add_magic_quotes( $user ); if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) { + + /** This filter is documented in wp-includes/user.php */ + $pre_hash_password = apply_filters( 'pre_hash_password', $userdata['user_pass'] ); + + if ( empty( $pre_hash_password ) ) { + return new WP_Error( 'empty_pre_hash_password', __( 'Empty password.' ) ); + } + + if ( false !== strpos( $pre_hash_password, '\\' ) ) { + return new WP_Error( 'illegal_pre_hash_password', __( 'Passwords may not contain the character "\\".' ) ); + } + // If password is changing, hash it now. - $plaintext_pass = $userdata['user_pass']; - $userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] ); + $plaintext_pass = $pre_hash_password; + $userdata['user_pass'] = wp_hash_password( $pre_hash_password ); /** * Filters whether to send the password change email. From 8478f176b060255a80eccaad28aabfb986a61cf5 Mon Sep 17 00:00:00 2001 From: mklute101 Date: Tue, 17 Sep 2024 11:13:44 -0700 Subject: [PATCH 2/8] Replace usage of `strpos()` with `str_contains()`. WordPress core includes a polyfill for `str_contains()` on PHP < 8.0 as of WordPress 5.9. --- src/wp-includes/user.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php index c0821b5c3be9c..34c46ff470467 100644 --- a/src/wp-includes/user.php +++ b/src/wp-includes/user.php @@ -2150,7 +2150,7 @@ function wp_insert_user( $userdata ) { return new WP_Error( 'empty_pre_hash_password', __( 'Cannot create a user with an empty password.' ) ); } - if ( false !== strpos( $pre_hash_password, '\\' ) ) { + if ( str_contains( wp_unslash( $pre_hash_password ), '\\' ) ) { return new WP_Error( 'illegal_pre_hash_password', __( 'Passwords may not contain the character "\\".' ) ); } From 549954b0c8b71cce70fa90041ca97c37a2217e18 Mon Sep 17 00:00:00 2001 From: mklute101 Date: Tue, 17 Sep 2024 11:45:40 -0700 Subject: [PATCH 3/8] removed use of wp_unslash as WordPress hasn't done any escaping to this point. --- src/wp-includes/user.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php index 34c46ff470467..58a0df461ab49 100644 --- a/src/wp-includes/user.php +++ b/src/wp-includes/user.php @@ -2150,7 +2150,7 @@ function wp_insert_user( $userdata ) { return new WP_Error( 'empty_pre_hash_password', __( 'Cannot create a user with an empty password.' ) ); } - if ( str_contains( wp_unslash( $pre_hash_password ), '\\' ) ) { + if ( str_contains( ( $pre_hash_password ), '\\' ) ) { return new WP_Error( 'illegal_pre_hash_password', __( 'Passwords may not contain the character "\\".' ) ); } From 2d89001d3ce45b2ca3e08434ce31fc82650a3fa8 Mon Sep 17 00:00:00 2001 From: mklute101 Date: Tue, 17 Sep 2024 14:47:30 -0700 Subject: [PATCH 4/8] update @ since tag to 6.7.0 --- src/wp-includes/user.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php index 58a0df461ab49..ac02e5586b77d 100644 --- a/src/wp-includes/user.php +++ b/src/wp-includes/user.php @@ -2140,7 +2140,7 @@ function wp_insert_user( $userdata ) { /** * Filters a password before hashing it. * - * @since 5.7.3 + * @since 6.7.0 * * @param string $userdata['user_pass'] The user's password. */ From 2a4dc7770fe81cfafb0a4c38674d93c9f6856cb0 Mon Sep 17 00:00:00 2001 From: mklute101 Date: Tue, 17 Sep 2024 14:48:25 -0700 Subject: [PATCH 5/8] test for empty pass and slash --- tests/phpunit/tests/user.php | 38 ++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php index 804511990f4ef..8c1ca0f5b13da 100644 --- a/tests/phpunit/tests/user.php +++ b/tests/phpunit/tests/user.php @@ -2185,4 +2185,42 @@ public function export_additional_user_profile_data_with_dup_name() { return $additional_profile_data; } + + /** + * Test that an error is returned when the password is empty. + * + * @ticket 49639 + */ + public function test_wp_insert_user_empty_password() { + $user_data = array( + 'user_login' => 'test_user_empty', + 'user_email' => 'test_user_empty@example.com', + 'user_pass' => '', // Empty password + ); + + $create_user = wp_insert_user( $user_data ); + + $this->assertWPError( $create_user ); + $this->assertSame( 'empty_pre_hash_password', $create_user->get_error_code() ); + $this->assertSame( 'Cannot create a user with an empty password.', $create_user->get_error_message() ); + } + + /** + * Test that an error is returned when the password contains a backslash. + * + * @ticket 49639 + */ + public function test_wp_insert_user_password_with_backslash() { + $user_data = array( + 'user_login' => 'test_user_backslash', + 'user_email' => 'test_user_backslash@example.com', + 'user_pass' => 'password\\123', + ); + + $create_user = wp_insert_user( $user_data ); + + $this->assertWPError( $create_user ); + $this->assertSame( 'illegal_pre_hash_password', $create_user->get_error_code() ); + $this->assertSame( 'Passwords may not contain the character "\\".', $create_user->get_error_message() ); + } } From 7c597dc1758a79692abfc991e89d3a4f1264efd7 Mon Sep 17 00:00:00 2001 From: mklute101 Date: Tue, 17 Sep 2024 15:58:10 -0700 Subject: [PATCH 6/8] remove check for slash, as it seems to be allowed and caused this test failure 1) WP_Test_REST_Users_Controller::test_user_roundtrip_as_editor Failed asserting that 500 is identical to 200. --- src/wp-includes/user.php | 4 ---- 1 file changed, 4 deletions(-) diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php index ac02e5586b77d..dc7aac5a027a3 100644 --- a/src/wp-includes/user.php +++ b/src/wp-includes/user.php @@ -2150,10 +2150,6 @@ function wp_insert_user( $userdata ) { return new WP_Error( 'empty_pre_hash_password', __( 'Cannot create a user with an empty password.' ) ); } - if ( str_contains( ( $pre_hash_password ), '\\' ) ) { - return new WP_Error( 'illegal_pre_hash_password', __( 'Passwords may not contain the character "\\".' ) ); - } - // Hash the password. $user_pass = wp_hash_password( $pre_hash_password ); } From 7c001627dd0162cf4f3e6cf7f90d737358d96c65 Mon Sep 17 00:00:00 2001 From: mklute101 Date: Tue, 17 Sep 2024 15:59:08 -0700 Subject: [PATCH 7/8] ran PHPCS --- src/wp-includes/user.php | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php index dc7aac5a027a3..ee92759fd78fd 100644 --- a/src/wp-includes/user.php +++ b/src/wp-includes/user.php @@ -2137,18 +2137,18 @@ function wp_insert_user( $userdata ) { } else { $update = false; - /** - * Filters a password before hashing it. - * - * @since 6.7.0 - * - * @param string $userdata['user_pass'] The user's password. - */ - $pre_hash_password = apply_filters( 'pre_hash_password', $userdata['user_pass'] ); - - if ( empty( $pre_hash_password ) ) { - return new WP_Error( 'empty_pre_hash_password', __( 'Cannot create a user with an empty password.' ) ); - } + /** + * Filters a password before hashing it. + * + * @since 6.7.0 + * + * @param string $userdata['user_pass'] The user's password. + */ + $pre_hash_password = apply_filters( 'pre_hash_password', $userdata['user_pass'] ); + + if ( empty( $pre_hash_password ) ) { + return new WP_Error( 'empty_pre_hash_password', __( 'Cannot create a user with an empty password.' ) ); + } // Hash the password. $user_pass = wp_hash_password( $pre_hash_password ); @@ -2606,16 +2606,16 @@ function wp_update_user( $userdata ) { if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) { - /** This filter is documented in wp-includes/user.php */ - $pre_hash_password = apply_filters( 'pre_hash_password', $userdata['user_pass'] ); + /** This filter is documented in wp-includes/user.php */ + $pre_hash_password = apply_filters( 'pre_hash_password', $userdata['user_pass'] ); - if ( empty( $pre_hash_password ) ) { - return new WP_Error( 'empty_pre_hash_password', __( 'Empty password.' ) ); - } + if ( empty( $pre_hash_password ) ) { + return new WP_Error( 'empty_pre_hash_password', __( 'Empty password.' ) ); + } - if ( false !== strpos( $pre_hash_password, '\\' ) ) { - return new WP_Error( 'illegal_pre_hash_password', __( 'Passwords may not contain the character "\\".' ) ); - } + if ( false !== strpos( $pre_hash_password, '\\' ) ) { + return new WP_Error( 'illegal_pre_hash_password', __( 'Passwords may not contain the character "\\".' ) ); + } // If password is changing, hash it now. $plaintext_pass = $pre_hash_password; From 4b0891e3f29b1f03e28dbbfbe23f72de4fd4d8f7 Mon Sep 17 00:00:00 2001 From: mklute101 Date: Tue, 17 Sep 2024 16:17:31 -0700 Subject: [PATCH 8/8] remove the test for backslash --- tests/phpunit/tests/user.php | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php index 8c1ca0f5b13da..d35aaa2655c9d 100644 --- a/tests/phpunit/tests/user.php +++ b/tests/phpunit/tests/user.php @@ -2204,23 +2204,4 @@ public function test_wp_insert_user_empty_password() { $this->assertSame( 'empty_pre_hash_password', $create_user->get_error_code() ); $this->assertSame( 'Cannot create a user with an empty password.', $create_user->get_error_message() ); } - - /** - * Test that an error is returned when the password contains a backslash. - * - * @ticket 49639 - */ - public function test_wp_insert_user_password_with_backslash() { - $user_data = array( - 'user_login' => 'test_user_backslash', - 'user_email' => 'test_user_backslash@example.com', - 'user_pass' => 'password\\123', - ); - - $create_user = wp_insert_user( $user_data ); - - $this->assertWPError( $create_user ); - $this->assertSame( 'illegal_pre_hash_password', $create_user->get_error_code() ); - $this->assertSame( 'Passwords may not contain the character "\\".', $create_user->get_error_message() ); - } }