From ed8c96636c16b2ab77ce8e955ed07732969994d4 Mon Sep 17 00:00:00 2001 From: ryan Date: Wed, 11 Jan 2012 16:42:42 +0000 Subject: [PATCH] Hash post password in cookies. fixes #19797 git-svn-id: http://svn.automattic.com/wordpress/trunk@19728 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/post-template.php | 17 ++++++++++++----- wp-pass.php | 12 +++++++++--- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php index c5f053d15b..a29d62cedb 100644 --- a/wp-includes/post-template.php +++ b/wp-includes/post-template.php @@ -558,18 +558,25 @@ function get_body_class( $class = '' ) { * @return bool false if a password is not required or the correct password cookie is present, true otherwise. */ function post_password_required( $post = null ) { + global $wp_hasher; + $post = get_post($post); - if ( empty($post->post_password) ) + if ( empty( $post->post_password ) ) return false; - if ( !isset($_COOKIE['wp-postpass_' . COOKIEHASH]) ) + if ( ! isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) ) return true; - if ( stripslashes( $_COOKIE['wp-postpass_' . COOKIEHASH] ) != $post->post_password ) - return true; + if ( empty( $wp_hasher ) ) { + require_once( ABSPATH . 'wp-includes/class-phpass.php'); + // By default, use the portable hash from phpass + $wp_hasher = new PasswordHash(8, true); + } - return false; + $hash = stripslashes( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] ); + + return ! $wp_hasher->CheckPassword( $post->post_password, $hash ); } /** diff --git a/wp-pass.php b/wp-pass.php index 6cb2a6d8ff..39ac448743 100644 --- a/wp-pass.php +++ b/wp-pass.php @@ -7,10 +7,16 @@ */ /** Make sure that the WordPress bootstrap has run before continuing. */ -require( dirname(__FILE__) . '/wp-load.php'); +require( dirname( __FILE__ ) . '/wp-load.php'); + +if ( empty( $wp_hasher ) ) { + require_once( ABSPATH . 'wp-includes/class-phpass.php'); + // By default, use the portable hash from phpass + $wp_hasher = new PasswordHash(8, true); +} // 10 days -setcookie('wp-postpass_' . COOKIEHASH, stripslashes( $_POST['post_password'] ), time() + 864000, COOKIEPATH); +setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 864000, COOKIEPATH ); -wp_safe_redirect(wp_get_referer()); +wp_safe_redirect( wp_get_referer() ); exit;