From 9b806a3114dafdab120baf041ba896217532db15 Mon Sep 17 00:00:00 2001 From: TimothyBlynJacobs Date: Tue, 21 Feb 2023 15:59:18 +0000 Subject: [PATCH] Recovery Mode: Use PasswordHash API directly when validating keys. Previously, the wp_check_password function was used for validating keys, while the PasswordHash class was used for creating keys. This would prevent Recovery Mode from working on sites that provide a custom implementation for the wp_check_password pluggable function. Props calvinalkan. Fixes #56787. Built from https://develop.svn.wordpress.org/trunk@55397 git-svn-id: http://core.svn.wordpress.org/trunk@54930 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/class-wp-recovery-mode-key-service.php | 10 +++++++++- wp-includes/version.php | 2 +- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/wp-includes/class-wp-recovery-mode-key-service.php b/wp-includes/class-wp-recovery-mode-key-service.php index 5ab0f8c3f9..73713caeb9 100644 --- a/wp-includes/class-wp-recovery-mode-key-service.php +++ b/wp-includes/class-wp-recovery-mode-key-service.php @@ -85,12 +85,15 @@ final class WP_Recovery_Mode_Key_Service { * * @since 5.2.0 * + * @global PasswordHash $wp_hasher + * * @param string $token The token used when generating the given key. * @param string $key The unhashed key. * @param int $ttl Time in seconds for the key to be valid for. * @return true|WP_Error True on success, error object on failure. */ public function validate_recovery_mode_key( $token, $key, $ttl ) { + global $wp_hasher; $records = $this->get_keys(); @@ -106,7 +109,12 @@ final class WP_Recovery_Mode_Key_Service { return new WP_Error( 'invalid_recovery_key_format', __( 'Invalid recovery key format.' ) ); } - if ( ! wp_check_password( $key, $record['hashed_key'] ) ) { + if ( empty( $wp_hasher ) ) { + require_once ABSPATH . WPINC . '/class-phpass.php'; + $wp_hasher = new PasswordHash( 8, true ); + } + + if ( ! $wp_hasher->CheckPassword( $key, $record['hashed_key'] ) ) { return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) ); } diff --git a/wp-includes/version.php b/wp-includes/version.php index fa4d5fd039..8f61c3eff2 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.2-beta2-55396'; +$wp_version = '6.2-beta2-55397'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.