Recovery Mode: Use PasswordHash API directly when validating keys.

Previously, the wp_check_password function was used for validating keys, while the PasswordHash class was used for creating keys. This would prevent Recovery Mode from working on sites that provide a custom implementation for the wp_check_password pluggable function.

Props calvinalkan.
Fixes #56787.

Built from https://develop.svn.wordpress.org/trunk@55397


git-svn-id: http://core.svn.wordpress.org/trunk@54930 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
TimothyBlynJacobs 2023-02-21 15:59:18 +00:00
parent 57d8df8ab1
commit 9b806a3114
2 changed files with 10 additions and 2 deletions

View File

@ -85,12 +85,15 @@ final class WP_Recovery_Mode_Key_Service {
* *
* @since 5.2.0 * @since 5.2.0
* *
* @global PasswordHash $wp_hasher
*
* @param string $token The token used when generating the given key. * @param string $token The token used when generating the given key.
* @param string $key The unhashed key. * @param string $key The unhashed key.
* @param int $ttl Time in seconds for the key to be valid for. * @param int $ttl Time in seconds for the key to be valid for.
* @return true|WP_Error True on success, error object on failure. * @return true|WP_Error True on success, error object on failure.
*/ */
public function validate_recovery_mode_key( $token, $key, $ttl ) { public function validate_recovery_mode_key( $token, $key, $ttl ) {
global $wp_hasher;
$records = $this->get_keys(); $records = $this->get_keys();
@ -106,7 +109,12 @@ final class WP_Recovery_Mode_Key_Service {
return new WP_Error( 'invalid_recovery_key_format', __( 'Invalid recovery key format.' ) ); return new WP_Error( 'invalid_recovery_key_format', __( 'Invalid recovery key format.' ) );
} }
if ( ! wp_check_password( $key, $record['hashed_key'] ) ) { if ( empty( $wp_hasher ) ) {
require_once ABSPATH . WPINC . '/class-phpass.php';
$wp_hasher = new PasswordHash( 8, true );
}
if ( ! $wp_hasher->CheckPassword( $key, $record['hashed_key'] ) ) {
return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) ); return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) );
} }

View File

@ -16,7 +16,7 @@
* *
* @global string $wp_version * @global string $wp_version
*/ */
$wp_version = '6.2-beta2-55396'; $wp_version = '6.2-beta2-55397';
/** /**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.