Recovery Mode: Use PasswordHash API directly when validating keys.

Previously, the wp_check_password function was used for validating keys, while the PasswordHash class was used for creating keys. This would prevent Recovery Mode from working on sites that provide a custom implementation for the wp_check_password pluggable function.

Props calvinalkan.
Fixes #56787.

Built from https://develop.svn.wordpress.org/trunk@55397


git-svn-id: http://core.svn.wordpress.org/trunk@54930 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/class-wp-recovery-mode-key-service.php

@@ -85,12 +85,15 @@ final class WP_Recovery_Mode_Key_Service {
 	 *
 	 * @since 5.2.0
 	 *
+	 * @global PasswordHash $wp_hasher
+	 *
 	 * @param string $token The token used when generating the given key.
 	 * @param string $key   The unhashed key.
 	 * @param int    $ttl   Time in seconds for the key to be valid for.
 	 * @return true|WP_Error True on success, error object on failure.
 	 */
 	public function validate_recovery_mode_key( $token, $key, $ttl ) {
+		global $wp_hasher;
 
 		$records = $this->get_keys();
 
@@ -106,7 +109,12 @@ final class WP_Recovery_Mode_Key_Service {
 			return new WP_Error( 'invalid_recovery_key_format', __( 'Invalid recovery key format.' ) );
 		}
 
-		if ( ! wp_check_password( $key, $record['hashed_key'] ) ) {
+		if ( empty( $wp_hasher ) ) {
+			require_once ABSPATH . WPINC . '/class-phpass.php';
+			$wp_hasher = new PasswordHash( 8, true );
+		}
+
+		if ( ! $wp_hasher->CheckPassword( $key, $record['hashed_key'] ) ) {
 			return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) );
 		}
 

wp-includes/version.php

@@ -16,7 +16,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '6.2-beta2-55396';
+$wp_version = '6.2-beta2-55397';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.