From f192cfe5c87524380da66d8aa660a76df357d0d5 Mon Sep 17 00:00:00 2001 From: rboren Date: Wed, 13 Oct 2004 02:21:37 +0000 Subject: [PATCH] Double hash password in cookies. git-svn-id: http://svn.automattic.com/wordpress/trunk@1788 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/functions.php | 4 +++- wp-login.php | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/wp-includes/functions.php b/wp-includes/functions.php index e84c075333..30905fca5e 100644 --- a/wp-includes/functions.php +++ b/wp-includes/functions.php @@ -1900,7 +1900,9 @@ function wp_login($username, $password, $already_md5 = false) { $error = __('Error: Wrong login.'); return false; } else { - if ( ($already_md5 && $login->user_login == $username && $login->user_pass == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) { + // If the password is already_md5, it has been double hashed. + // Otherwise, it is plain text. + if ( ($already_md5 && $login->user_login == $username && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) { return true; } else { $error = __('Error: Incorrect password.'); diff --git a/wp-login.php b/wp-login.php index 5c9bae8040..d944f3a96e 100644 --- a/wp-login.php +++ b/wp-login.php @@ -159,7 +159,7 @@ default: if ($log && $pwd) { if ( wp_login($log, $pwd) ) { $user_login = $log; - $user_pass = md5($pwd); + $user_pass = md5(md5($pwd)); // Double hash the password in the cookie. setcookie('wordpressuser_'. COOKIEHASH, $user_login, time() + 31536000, COOKIEPATH); setcookie('wordpresspass_'. COOKIEHASH, $user_pass, time() + 31536000, COOKIEPATH);