From 12135b98297c985f79d798bb06a387e5c35965e0 Mon Sep 17 00:00:00 2001 From: Andrew Nacin Date: Fri, 21 Jun 2013 03:02:28 +0000 Subject: [PATCH] Validate post password hash. Merges [24466] to the 3.5 branch. git-svn-id: http://core.svn.wordpress.org/branches/3.5@24467 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/post-template.php | 13 +++++-------- wp-login.php | 9 +++------ 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php index 21620b456f..d51d00953e 100644 --- a/wp-includes/post-template.php +++ b/wp-includes/post-template.php @@ -567,8 +567,6 @@ function get_body_class( $class = '' ) { * @return bool false if a password is not required or the correct password cookie is present, true otherwise. */ function post_password_required( $post = null ) { - global $wp_hasher; - $post = get_post($post); if ( empty( $post->post_password ) ) @@ -577,15 +575,14 @@ function post_password_required( $post = null ) { if ( ! isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) ) return true; - if ( empty( $wp_hasher ) ) { - require_once( ABSPATH . 'wp-includes/class-phpass.php'); - // By default, use the portable hash from phpass - $wp_hasher = new PasswordHash(8, true); - } + require_once ABSPATH . 'wp-includes/class-phpass.php'; + $hasher = new PasswordHash( 8, true ); $hash = stripslashes( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ); + if ( 0 !== strpos( $hash, '$P$B' ) ) + return true; - return ! $wp_hasher->CheckPassword( $post->post_password, $hash ); + return ! $hasher->CheckPassword( $post->post_password, $hash ); } /** diff --git a/wp-login.php b/wp-login.php index 239e4a9c83..209341fa6a 100644 --- a/wp-login.php +++ b/wp-login.php @@ -389,14 +389,11 @@ $http_post = ('POST' == $_SERVER['REQUEST_METHOD']); switch ($action) { case 'postpass' : - if ( empty( $wp_hasher ) ) { - require_once( ABSPATH . 'wp-includes/class-phpass.php' ); - // By default, use the portable hash from phpass - $wp_hasher = new PasswordHash(8, true); - } + require_once ABSPATH . 'wp-includes/class-phpass.php'; + $hasher = new PasswordHash( 8, true ); // 10 days - setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH ); + setcookie( 'wp-postpass_' . COOKIEHASH, $hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 10 * DAY_IN_SECONDS, COOKIEPATH ); wp_safe_redirect( wp_get_referer() ); exit();