Ticket #5367: secure_cookie.5.diff
| File secure_cookie.5.diff, 14.7 kB (added by ryan, 10 months ago) |
|---|
-
wp-login.php
old new 288 288 default: 289 289 $user_login = ''; 290 290 $user_pass = ''; 291 $using_cookie = FALSE;292 291 293 292 if ( !isset( $_REQUEST['redirect_to'] ) || is_user_logged_in() ) 294 293 $redirect_to = 'wp-admin/'; … … 296 295 $redirect_to = $_REQUEST['redirect_to']; 297 296 298 297 if ( $http_post ) { 298 // If cookies are disabled we can't log in even with a valid user+pass 299 if ( empty($_COOKIE[TEST_COOKIE]) ) 300 $errors['test_cookie'] = __('<strong>ERROR</strong>: WordPress requires Cookies but your browser does not support them or they are blocked.'); 301 299 302 $user_login = $_POST['log']; 300 303 $user_login = sanitize_user( $user_login ); 301 304 $user_pass = $_POST['pwd']; 302 305 $rememberme = $_POST['rememberme']; 306 307 do_action_ref_array('wp_authenticate', array(&$user_login, &$user_pass)); 303 308 } else { 304 $cookie_login = wp_get_cookie_login(); 305 if ( ! empty($cookie_login) ) { 306 $using_cookie = true; 307 $user_login = $cookie_login['login']; 308 $user_pass = $cookie_login['password']; 309 $user = wp_validate_auth_cookie(); 310 if ( !$user ) { 311 $errors['expiredsession'] = __('Your session has expired.'); 312 } else { 313 $user = new WP_User($user); 314 315 // If the user can't edit posts, send them to their profile. 316 if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) ) 317 $redirect_to = get_option('siteurl') . '/wp-admin/profile.php'; 318 wp_safe_redirect($redirect_to); 319 exit(); 309 320 } 310 321 } 311 322 312 do_action_ref_array('wp_authenticate', array(&$user_login, &$user_pass));313 314 // If cookies are disabled we can't log in even with a valid user+pass315 if ( $http_post && empty($_COOKIE[TEST_COOKIE]) )316 $errors['test_cookie'] = __('<strong>ERROR</strong>: WordPress requires Cookies but your browser does not support them or they are blocked.');317 318 323 if ( $user_login && $user_pass && empty( $errors ) ) { 319 324 $user = new WP_User(0, $user_login); 320 325 … … 322 327 if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) ) 323 328 $redirect_to = get_option('siteurl') . '/wp-admin/profile.php'; 324 329 325 if ( wp_login($user_login, $user_pass, $using_cookie) ) { 326 if ( !$using_cookie ) 327 wp_setcookie($user_login, $user_pass, false, '', '', $rememberme); 330 if ( wp_login($user_login, $user_pass) ) { 331 wp_set_auth_cookie($user->ID, $rememberme); 328 332 do_action('wp_login', $user_login); 329 333 wp_safe_redirect($redirect_to); 330 334 exit(); 331 } else {332 if ( $using_cookie )333 $errors['expiredsession'] = __('Your session has expired.');334 335 } 335 336 } 336 337 -
wp-includes/compat.php
old new 147 147 } 148 148 } 149 149 150 if ( ! function_exists('hash_hmac') ): 151 function hash_hmac($algo, $data, $key, $raw_output = false) { 152 $packs = array('md5' => 'H32', 'sha1' => 'H40'); 153 154 if ( !isset($packs[$algo]) ) 155 return false; 156 157 $pack = $packs[$algo]; 158 159 if (strlen($key) > 64) 160 $key = pack($pack, $algo($key)); 161 else if (strlen($key) < 64) 162 $key = str_pad($key, 64, chr(0)); 163 164 $ipad = (substr($key, 0, 64) ^ str_repeat(chr(0x36), 64)); 165 $opad = (substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64)); 166 167 return $algo($opad . pack($pack, $algo($ipad . $data))); 168 } 169 endif; 170 150 171 // Added in PHP 4.3.0? 151 172 if (!defined('IMAGETYPE_GIF')) 152 173 define('IMAGETYPE_GIF', 1); -
wp-includes/pluggable.php
old new 46 46 if ( ! empty($current_user) ) 47 47 return; 48 48 49 if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) || 50 !wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) { 49 if ( ! $user = wp_validate_auth_cookie() ) { 51 50 wp_set_current_user(0); 52 51 return false; 53 52 } 54 53 55 $user_login = $_COOKIE[USER_COOKIE]; 56 wp_set_current_user(0, $user_login); 54 wp_set_current_user($user); 57 55 } 58 56 endif; 59 57 … … 293 291 endif; 294 292 295 293 if ( !function_exists('wp_login') ) : 296 function wp_login($username, $password, $ already_md5= false) {294 function wp_login($username, $password, $deprecated = false) { 297 295 global $wpdb, $error; 298 296 299 297 $username = sanitize_user($username); … … 313 311 return false; 314 312 } 315 313 316 // If the password is already_md5, it has been double hashed. 317 // Otherwise, it is plain text. 318 if ( !$already_md5 ) { 319 if ( wp_check_password($password, $login->user_pass) ) { 320 // If using old md5 password, rehash. 321 if ( strlen($login->user_pass) <= 32 ) { 322 $hash = wp_hash_password($password); 323 $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'"); 324 wp_cache_delete($login->ID, 'users'); 325 } 314 if ( !wp_check_password($password, $login->user_pass) ) { 315 $error = __('<strong>ERROR</strong>: Incorrect password.'); 316 return false; 317 } 326 318 327 return true; 328 } 319 // If using old md5 password, rehash. 320 if ( strlen($login->user_pass) <= 32 ) { 321 $hash = wp_hash_password($password); 322 $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'"); 323 wp_cache_delete($login->ID, 'users'); 324 } 325 326 return true; 327 } 328 endif; 329 330 if ( !function_exists('wp_validate_auth_cookie') ) : 331 function wp_validate_auth_cookie($cookie = '') { 332 if ( empty($cookie) ) { 333 if ( empty($_COOKIE[AUTH_COOKIE]) ) 334 return false; 335 $cookie = $_COOKIE[AUTH_COOKIE]; 336 } 337 338 list($username, $expiration, $hmac) = explode('|', $cookie); 339 340 $expired = $expiration; 341 342 // Allow a grace period for POST requests 343 if ( 'POST' == $_SERVER['REQUEST_METHOD'] ) 344 $expired += 3600; 345 346 if ( $expired < time() ) 347 return false; 348 349 $key = wp_hash($username . $expiration); 350 $hash = hash_hmac('md5', $username . $expiration, $key); 351 352 if ( $hmac != $hash ) 353 return false; 354 355 $user = get_userdatabylogin($username); 356 if ( ! $user ) 357 return false; 358 359 return $user->ID; 360 } 361 endif; 362 363 if ( !function_exists('wp_set_auth_cookie') ) : 364 function wp_set_auth_cookie($user_id, $remember = false) { 365 $user = get_userdata($user_id); 366 367 if ( $remember ) { 368 $expiration = $expire = time() + 1209600; 329 369 } else { 330 if ( md5($login->user_pass) == $password )331 return true;370 $expiration = time() + 172800; 371 $expire = 0; 332 372 } 333 373 334 $error = __('<strong>ERROR</strong>: Incorrect password.'); 335 return false; 374 $key = wp_hash($user->user_login . $expiration); 375 $hash = hash_hmac('md5', $user->user_login . $expiration, $key); 376 377 $cookie = $user->user_login . '|' . $expiration . '|' . $hash; 378 379 setcookie(AUTH_COOKIE, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN); 380 if ( COOKIEPATH != SITECOOKIEPATH ) 381 setcookie(AUTH_COOKIE, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN); 336 382 } 337 383 endif; 338 384 385 if ( !function_exists('wp_clear_auth_cookie') ) : 386 function wp_clear_auth_cookie() { 387 setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 388 setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 389 390 // Old cookies 391 setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 392 setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 393 setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 394 setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 395 } 396 endif; 397 339 398 if ( !function_exists('is_user_logged_in') ) : 340 399 function is_user_logged_in() { 341 400 $user = wp_get_current_user(); … … 350 409 if ( !function_exists('auth_redirect') ) : 351 410 function auth_redirect() { 352 411 // Checks if a user is logged in, if not redirects them to the login page 353 if ( (!empty($_COOKIE[ USER_COOKIE]) &&354 !wp_ login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) ||355 (empty($_COOKIE[ USER_COOKIE])) ) {412 if ( (!empty($_COOKIE[AUTH_COOKIE]) && 413 !wp_validate_auth_cookie($_COOKIE[AUTH_COOKIE])) || 414 (empty($_COOKIE[AUTH_COOKIE])) ) { 356 415 nocache_headers(); 357 416 358 417 wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI'])); … … 379 438 if ( !wp_verify_nonce( $nonce, $action ) ) { 380 439 $current_name = ''; 381 440 if ( ( $current = wp_get_current_user() ) && $current->ID ) 382 $current_name = $current-> data->user_login;441 $current_name = $current->user_login; 383 442 if ( !$current_name ) 384 443 die('-1'); 385 444 445 $auth_cookie = ''; 386 446 $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie 387 447 foreach ( $cookie as $tasty ) { 388 if ( false !== strpos($tasty, USER_COOKIE) ) 389 $user = substr(strstr($tasty, '='), 1); 390 if ( false !== strpos($tasty, PASS_COOKIE) ) 391 $pass = substr(strstr($tasty, '='), 1); 448 if ( false !== strpos($tasty, AUTH_COOKIE) ) 449 $auth_cookie = substr(strstr($tasty, '='), 1); 392 450 } 393 451 394 if ( $current_name != $user || !wp_login( $user, $pass, true ) )452 if ( $current_name != $user || empty($auth_cookie) || !wp_validate_auth_cookie( $auth_cookie ) ) 395 453 die('-1'); 396 454 } 397 455 do_action('check_ajax_referer'); … … 472 530 } 473 531 endif; 474 532 475 if ( !function_exists('wp_get_cookie_login') ):476 function wp_get_cookie_login() {477 if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) )478 return false;479 480 return array('login' => $_COOKIE[USER_COOKIE], 'password' => $_COOKIE[PASS_COOKIE]);481 }482 483 endif;484 485 if ( !function_exists('wp_setcookie') ) :486 function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {487 $user = get_userdatabylogin($username);488 if ( !$already_md5) {489 $password = md5($user->user_pass); // Double hash the password in the cookie.490 }491 492 if ( empty($home) )493 $cookiepath = COOKIEPATH;494 else495 $cookiepath = preg_replace('|https?://[^/]+|i', '', $home . '/' );496 497 if ( empty($siteurl) ) {498 $sitecookiepath = SITECOOKIEPATH;499 $cookiehash = COOKIEHASH;500 } else {501 $sitecookiepath = preg_replace('|https?://[^/]+|i', '', $siteurl . '/' );502 $cookiehash = md5($siteurl);503 }504 505 if ( $remember )506 $expire = time() + 31536000;507 else508 $expire = 0;509 510 setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN);511 setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);512 513 if ( $cookiepath != $sitecookiepath ) {514 setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN);515 setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);516 }517 }518 endif;519 520 if ( !function_exists('wp_clearcookie') ) :521 function wp_clearcookie() {522 setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);523 setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);524 setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);525 setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);526 }527 endif;528 529 533 if ( ! function_exists('wp_notify_postauthor') ) : 530 534 function wp_notify_postauthor($comment_id, $comment_type='') { 531 535 $comment = get_comment($comment_id); … … 692 696 if ( !function_exists('wp_salt') ) : 693 697 function wp_salt() { 694 698 $salt = get_option('secret'); 695 if ( empty($salt) ) 696 $salt = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH; 699 if ( empty($salt) ) { 700 $salt = wp_generate_password(); 701 update_option('secret', $salt); 702 } 697 703 698 return $salt; 704 if ( !defined('SECRET_KEY') || '' == SECRET_KEY ) 705 $secret_key = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH; 706 else 707 $secret_key = SECRET_KEY; 708 709 return $salt . $secret_key; 699 710 } 700 711 endif; 701 712 … … 758 769 return $password; 759 770 } 760 771 endif; 772 773 // Deprecated. Use wp_set_auth_cookie() 774 if ( !function_exists('wp_setcookie') ) : 775 function wp_setcookie($username, $password = '', $already_md5 = false, $home = '', $siteurl = '', $remember = false) { 776 $user = get_userdatabylogin($username); 777 wp_set_auth_cookie($user->ID, $remember); 778 } 779 endif; 780 781 // Deprecated. Use wp_clear_auth_cookie() 782 if ( !function_exists('wp_clearcookie') ) : 783 function wp_clearcookie() { 784 wp_clear_auth_cookie(); 785 } 786 endif; 787 788 // Deprecated. No alternative. 789 if ( !function_exists('wp_get_cookie_login') ): 790 function wp_get_cookie_login() { 791 return false; 792 } 793 endif; 794 761 795 ?> -
wp-includes/registration.php
old new 167 167 $current_user = wp_get_current_user(); 168 168 if ( $current_user->id == $ID ) { 169 169 if ( isset($plaintext_pass) ) { 170 wp_clear cookie();171 wp_set cookie($userdata['user_login'], $plaintext_pass);170 wp_clear_auth_cookie(); 171 wp_set_auth_cookie($ID); 172 172 } 173 173 } 174 174 -
wp-config-sample.php
old new 6 6 define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value 7 7 define('DB_CHARSET', 'utf8'); 8 8 define('DB_COLLATE', ''); 9 define('SECRET_KEY', ''); // Change this to a unique phrase. 9 10 10 11 // You can have multiple installations in one database if you give each a unique prefix 11 12 $table_prefix = 'wp_'; // Only numbers, letters, and underscores please! -
wp-settings.php
old new 186 186 } 187 187 188 188 if ( !defined('USER_COOKIE') ) 189 define('USER_COOKIE', 'wordpressuser_' . COOKIEHASH);189 define('USER_COOKIE', 'wordpressuser_' . COOKIEHASH); 190 190 if ( !defined('PASS_COOKIE') ) 191 define('PASS_COOKIE', 'wordpresspass_'. COOKIEHASH); 191 define('PASS_COOKIE', 'wordpresspass_' . COOKIEHASH); 192 if ( !defined('AUTH_COOKIE') ) 193 define('AUTH_COOKIE', 'wordpress_' . COOKIEHASH); 192 194 if ( !defined('TEST_COOKIE') ) 193 195 define('TEST_COOKIE', 'wordpress_test_cookie'); 194 196 if ( !defined('COOKIEPATH') ) -
wp-admin/includes/misc.php
old new 128 128 update_option( 'recently_edited', $oldfiles ); 129 129 } 130 130 131 // If siteurl or home changed, reset cookies andflush rewrite rules.131 // If siteurl or home changed, flush rewrite rules. 132 132 function update_home_siteurl( $old_value, $value ) { 133 133 global $wp_rewrite, $user_login, $user_pass_md5; 134 134 … … 137 137 138 138 // If home changed, write rewrite rules to new location. 139 139 $wp_rewrite->flush_rules(); 140 // Clear cookies for old paths.141 wp_clearcookie();142 // Set cookies for new paths.143 wp_setcookie( $user_login, $user_pass_md5, true, get_option( 'home' ), get_option( 'siteurl' ));144 140 } 145 141 146 142 add_action( 'update_option_home', 'update_home_siteurl', 10, 2 );
