Ticket #7197 (new defect (bug))

Opened 6 months ago

Last modified 5 months ago

With magic_quotes_gpc on you can't change password to anything with " or ' inside.

Reported by: sesee Assigned to: anonymous
Priority: normal Milestone: 2.9
Component: Administration Version: 2.5.1
Severity: normal Keywords: has-patch, needs-testing
Cc:

Description

If magic_quotes_gpc are on, user cannot change password to something having a " or ' inside. When submitting, magic_quotes automatically quotes " to \", and user gets and error: ERROR: Passwords may not contain the character "\". Although the password strength hint says: Hint: Use upper and lower case characters, numbers and symbols like !"?$%&( in your password.

So, there are two solutions: 1. remove '"' from hint which tells that you can use that kind of a password 2. if magic_quotes_gpc are on - stripslahes() the password ( it will be hashed anyway, so no harm to the database ).

Patch for solution #2 included.

Attachments

wp-patch-quotes.diff (1.2 kB) - added by sesee on 06/28/08 12:20:22.
no_magic_quotes_on_passwords.patch (1.9 kB) - added by mystyman on 08/16/08 15:42:12.

Change History

06/28/08 12:20:22 changed by sesee

  • attachment wp-patch-quotes.diff added.

07/15/08 16:24:07 changed by ryan

  • milestone changed from 2.5.2 to 2.9.

Milestone 2.5.2 deleted

08/15/08 21:02:25 changed by mystyman

  • keywords set to has-patch, needs-testing.

I'm currently running svn r8647 from Aug 14th. It appears that you can not use passwords with these characters in it even with magic_quotes_gpc off.

In wp-settings.php the slashes are already stripped off if magic_quotes_gpc on, from lines 481 - 485 

if ( get_magic_quotes_gpc() ) {
	$_GET    = stripslashes_deep($_GET   );
	$_POST   = stripslashes_deep($_POST  );
	$_COOKIE = stripslashes_deep($_COOKIE);
}

However just after that slashes are added back in all cases (magic_quotes_gpc on or off) 

$_GET    = add_magic_quotes($_GET   );
$_POST   = add_magic_quotes($_POST  );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);

add_magic_quotes just calls function $wpdb->escape which at this time just calls the php function addslashes

I am uploading a patch that alters the add_magic_quotes function to have a second optional arg 'donottouch' array which hold the names of keys to NOT apply $wpdb->escape too. Currently I'm using array('pwd','pass1','pass2') when setting the $_POST var in wp-settings.

08/16/08 15:42:12 changed by mystyman

  • attachment no_magic_quotes_on_passwords.patch added.

08/16/08 15:42:47 changed by mystyman

updated patch, removed a few lines in wp-admin/includes/user.php that also prevented "\" from being used in passwords. and rebased to svn r8653