[wp-trac] [WordPress Trac] #13654: Install should NOT use stripslashes on admin password

WordPress Trac wp-trac at lists.automattic.com
Mon May 31 10:06:23 UTC 2010


#13654: Install should NOT use stripslashes on admin password
-----------------------------+----------------------------------------------
 Reporter:  johanee          |       Owner:  dd32
     Type:  defect (bug)     |      Status:  new 
 Priority:  normal           |   Milestone:  3.0 
Component:  Upgrade/Install  |     Version:  3.0 
 Severity:  normal           |    Keywords:      
-----------------------------+----------------------------------------------
 If you use ', ", \ in the administration password when doing a new install
 you will not be able to log in.

 This is because the new 3.0 install uses stripslashes() on the
 administator password.

 This would normally be the right thing to do, but unfortunately no other
 part of the WordPress password handling does so. Login tests against
 unescaped strings, new user creation and user edit uses the same.

 This is unfortunate, but as all WordPress users ever created have \", \',
 \\ in their hashed passwords (depending on server configuration I guess)
 it is probably too painful to change.

 Therefore wp-admin/install.php should be changed to not use
 stripslashes().

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/13654>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list