Ticket #528: WPMU_1.3_Tag_Patch.diff
| File WPMU_1.3_Tag_Patch.diff, 23.7 kB (added by jaredbangs, 8 months ago) |
|---|
-
wp-login.php
old new 185 185 186 186 // Generate something random for a password... md5'ing current time with a rand salt 187 187 $new_pass = substr( md5( uniqid( microtime() ) ), 0, 7); 188 $wpdb->query("UPDATE $wpdb->users SET user_pass = MD5('$new_pass'), user_activation_key = '' WHERE user_login = '$user->user_login'"); 188 $new_hash = wp_hash_password($new_pass); 189 $wpdb->query("UPDATE $wpdb->users SET user_pass = '$new_hash', user_activation_key = '' WHERE ID = '$user->ID'"); 189 190 wp_cache_delete($user->ID, 'users'); 190 wp_cache_delete($user->user_login, 'userlogins');191 191 $message = sprintf(__('Username: %s'), $user->user_login) . "\r\n"; 192 192 $message .= sprintf(__('Password: %s'), $new_pass) . "\r\n"; 193 193 $message .= get_option('siteurl') . "/wp-login.php\r\n"; … … 207 207 default: 208 208 $user_login = ''; 209 209 $user_pass = ''; 210 $using_cookie = FALSE;211 210 212 211 if ( !isset( $_REQUEST['redirect_to'] ) || is_user_logged_in() ) 213 212 $redirect_to = 'wp-admin/'; … … 215 214 $redirect_to = $_REQUEST['redirect_to']; 216 215 217 216 if ( $_POST ) { 217 // If cookies are disabled we can't log in even with a valid user+pass 218 if ( empty($_COOKIE[TEST_COOKIE]) ) 219 $errors['test_cookie'] = __('<strong>ERROR</strong>: WordPress requires Cookies but your browser does not support them or they are blocked.'); 220 218 221 $user_login = $_POST['log']; 219 222 $user_login = sanitize_user( $user_login ); 220 223 $user_pass = $_POST['pwd']; 221 224 $rememberme = $_POST['rememberme']; 225 226 do_action_ref_array('wp_authenticate', array(&$user_login, &$user_pass)); 222 227 } else { 223 $cookie_login = wp_get_cookie_login(); 224 if ( ! empty($cookie_login) ) { 225 $using_cookie = true; 226 $user_login = $cookie_login['login']; 227 $user_pass = $cookie_login['password']; 228 $user = wp_validate_auth_cookie(); 229 if ( !$user ) { 230 if ( empty($_GET['loggedout']) ) 231 $errors['expiredsession'] = __('Your session has expired.'); 232 } else { 233 $user = new WP_User($user); 234 235 // If the user can't edit posts, send them to their profile. 236 if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) ) 237 $redirect_to = get_option('siteurl') . '/wp-admin/profile.php'; 238 wp_safe_redirect($redirect_to); 239 exit(); 228 240 } 229 241 } 230 231 do_action_ref_array('wp_authenticate', array(&$user_login, &$user_pass)); 232 233 // If cookies are disabled we can't log in even with a valid user+pass 234 if ( $_POST && empty($_COOKIE[TEST_COOKIE]) ) 235 $errors['test_cookie'] = __('<strong>ERROR</strong>: WordPress requires Cookies but your browser does not support them or they are blocked.'); 236 242 237 243 if ( $user_login && $user_pass && empty( $errors ) ) { 238 244 $user = new WP_User(0, $user_login); 239 245 … … 241 247 if ( !$user->has_cap('edit_posts') && ( empty( $redirect_to ) || $redirect_to == 'wp-admin/' ) ) 242 248 $redirect_to = get_option('siteurl') . '/wp-admin/profile.php'; 243 249 244 if ( wp_login($user_login, $user_pass, $using_cookie) ) { 245 if ( !$using_cookie ) 246 wp_setcookie($user_login, $user_pass, false, '', '', $rememberme); 250 if ( wp_login($user_login, $user_pass) ) { 251 wp_set_auth_cookie($user->ID, $rememberme); 247 252 do_action('wp_login', $user_login); 248 253 wp_safe_redirect($redirect_to); 249 254 exit(); 250 } else {251 if ( $using_cookie )252 $errors['expiredsession'] = __('Your session has expired.');253 255 } 254 256 } 255 257 -
wp-includes/class-phpass.php
old new 1 <?php 2 /** 3 * Portable PHP password hashing framework. 4 * @package phpass 5 * @since 2.4 6 * @version 0.1 7 * @link http://www.openwall.com/phpass/ 8 */ 9 10 # 11 # Portable PHP password hashing framework. 12 # 13 # Version 0.1 / genuine. 14 # 15 # Written by Solar Designer <solar at openwall.com> in 2004-2006 and placed in 16 # the public domain. 17 # 18 # There's absolutely no warranty. 19 # 20 # The homepage URL for this framework is: 21 # 22 # http://www.openwall.com/phpass/ 23 # 24 # Please be sure to update the Version line if you edit this file in any way. 25 # It is suggested that you leave the main version number intact, but indicate 26 # your project name (after the slash) and add your own revision information. 27 # 28 # Please do not change the "private" password hashing method implemented in 29 # here, thereby making your hashes incompatible. However, if you must, please 30 # change the hash type identifier (the "$P$") to something different. 31 # 32 # Obviously, since this code is in the public domain, the above are not 33 # requirements (there can be none), but merely suggestions. 34 # 35 class PasswordHash { 36 var $itoa64; 37 var $iteration_count_log2; 38 var $portable_hashes; 39 var $random_state; 40 41 function PasswordHash($iteration_count_log2, $portable_hashes) 42 { 43 $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; 44 45 if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) 46 $iteration_count_log2 = 8; 47 $this->iteration_count_log2 = $iteration_count_log2; 48 49 $this->portable_hashes = $portable_hashes; 50 51 $this->random_state = microtime() . getmypid(); 52 } 53 54 function get_random_bytes($count) 55 { 56 $output = ''; 57 if (($fh = @fopen('/dev/urandom', 'rb'))) { 58 $output = fread($fh, $count); 59 fclose($fh); 60 } 61 62 if (strlen($output) < $count) { 63 $output = ''; 64 for ($i = 0; $i < $count; $i += 16) { 65 $this->random_state = 66 md5(microtime() . $this->random_state); 67 $output .= 68 pack('H*', md5($this->random_state)); 69 } 70 $output = substr($output, 0, $count); 71 } 72 73 return $output; 74 } 75 76 function encode64($input, $count) 77 { 78 $output = ''; 79 $i = 0; 80 do { 81 $value = ord($input[$i++]); 82 $output .= $this->itoa64[$value & 0x3f]; 83 if ($i < $count) 84 $value |= ord($input[$i]) << 8; 85 $output .= $this->itoa64[($value >> 6) & 0x3f]; 86 if ($i++ >= $count) 87 break; 88 if ($i < $count) 89 $value |= ord($input[$i]) << 16; 90 $output .= $this->itoa64[($value >> 12) & 0x3f]; 91 if ($i++ >= $count) 92 break; 93 $output .= $this->itoa64[($value >> 18) & 0x3f]; 94 } while ($i < $count); 95 96 return $output; 97 } 98 99 function gensalt_private($input) 100 { 101 $output = '$P$'; 102 $output .= $this->itoa64[min($this->iteration_count_log2 + 103 ((PHP_VERSION >= '5') ? 5 : 3), 30)]; 104 $output .= $this->encode64($input, 6); 105 106 return $output; 107 } 108 109 function crypt_private($password, $setting) 110 { 111 $output = '*0'; 112 if (substr($setting, 0, 2) == $output) 113 $output = '*1'; 114 115 if (substr($setting, 0, 3) != '$P$') 116 return $output; 117 118 $count_log2 = strpos($this->itoa64, $setting[3]); 119 if ($count_log2 < 7 || $count_log2 > 30) 120 return $output; 121 122 $count = 1 << $count_log2; 123 124 $salt = substr($setting, 4, 8); 125 if (strlen($salt) != 8) 126 return $output; 127 128 # We're kind of forced to use MD5 here since it's the only 129 # cryptographic primitive available in all versions of PHP 130 # currently in use. To implement our own low-level crypto 131 # in PHP would result in much worse performance and 132 # consequently in lower iteration counts and hashes that are 133 # quicker to crack (by non-PHP code). 134 if (PHP_VERSION >= '5') { 135 $hash = md5($salt . $password, TRUE); 136 do { 137 $hash = md5($hash . $password, TRUE); 138 } while (--$count); 139 } else { 140 $hash = pack('H*', md5($salt . $password)); 141 do { 142 $hash = pack('H*', md5($hash . $password)); 143 } while (--$count); 144 } 145 146 $output = substr($setting, 0, 12); 147 $output .= $this->encode64($hash, 16); 148 149 return $output; 150 } 151 152 function gensalt_extended($input) 153 { 154 $count_log2 = min($this->iteration_count_log2 + 8, 24); 155 # This should be odd to not reveal weak DES keys, and the 156 # maximum valid value is (2**24 - 1) which is odd anyway. 157 $count = (1 << $count_log2) - 1; 158 159 $output = '_'; 160 $output .= $this->itoa64[$count & 0x3f]; 161 $output .= $this->itoa64[($count >> 6) & 0x3f]; 162 $output .= $this->itoa64[($count >> 12) & 0x3f]; 163 $output .= $this->itoa64[($count >> 18) & 0x3f]; 164 165 $output .= $this->encode64($input, 3); 166 167 return $output; 168 } 169 170 function gensalt_blowfish($input) 171 { 172 # This one needs to use a different order of characters and a 173 # different encoding scheme from the one in encode64() above. 174 # We care because the last character in our encoded string will 175 # only represent 2 bits. While two known implementations of 176 # bcrypt will happily accept and correct a salt string which 177 # has the 4 unused bits set to non-zero, we do not want to take 178 # chances and we also do not want to waste an additional byte 179 # of entropy. 180 $itoa64 = './ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; 181 182 $output = '$2a$'; 183 $output .= chr(ord('0') + $this->iteration_count_log2 / 10); 184 $output .= chr(ord('0') + $this->iteration_count_log2 % 10); 185 $output .= '$'; 186 187 $i = 0; 188 do { 189 $c1 = ord($input[$i++]); 190 $output .= $itoa64[$c1 >> 2]; 191 $c1 = ($c1 & 0x03) << 4; 192 if ($i >= 16) { 193 $output .= $itoa64[$c1]; 194 break; 195 } 196 197 $c2 = ord($input[$i++]); 198 $c1 |= $c2 >> 4; 199 $output .= $itoa64[$c1]; 200 $c1 = ($c2 & 0x0f) << 2; 201 202 $c2 = ord($input[$i++]); 203 $c1 |= $c2 >> 6; 204 $output .= $itoa64[$c1]; 205 $output .= $itoa64[$c2 & 0x3f]; 206 } while (1); 207 208 return $output; 209 } 210 211 function HashPassword($password) 212 { 213 $random = ''; 214 215 if (CRYPT_BLOWFISH == 1 && !$this->portable_hashes) { 216 $random = $this->get_random_bytes(16); 217 $hash = 218 crypt($password, $this->gensalt_blowfish($random)); 219 if (strlen($hash) == 60) 220 return $hash; 221 } 222 223 if (CRYPT_EXT_DES == 1 && !$this->portable_hashes) { 224 if (strlen($random) < 3) 225 $random = $this->get_random_bytes(3); 226 $hash = 227 crypt($password, $this->gensalt_extended($random)); 228 if (strlen($hash) == 20) 229 return $hash; 230 } 231 232 if (strlen($random) < 6) 233 $random = $this->get_random_bytes(6); 234 $hash = 235 $this->crypt_private($password, 236 $this->gensalt_private($random)); 237 if (strlen($hash) == 34) 238 return $hash; 239 240 # Returning '*' on error is safe here, but would _not_ be safe 241 # in a crypt(3)-like function used _both_ for generating new 242 # hashes and for validating passwords against existing hashes. 243 return '*'; 244 } 245 246 function CheckPassword($password, $stored_hash) 247 { 248 $hash = $this->crypt_private($password, $stored_hash); 249 if ($hash[0] == '*') 250 $hash = crypt($password, $stored_hash); 251 252 return $hash == $stored_hash; 253 } 254 } 255 256 ?> -
wp-includes/compat.php
old new 147 147 } 148 148 } 149 149 150 if ( ! function_exists('hash_hmac') ): 151 function hash_hmac($algo, $data, $key, $raw_output = false) { 152 $packs = array('md5' => 'H32', 'sha1' => 'H40'); 153 154 if ( !isset($packs[$algo]) ) 155 return false; 156 157 $pack = $packs[$algo]; 158 159 if (strlen($key) > 64) 160 $key = pack($pack, $algo($key)); 161 else if (strlen($key) < 64) 162 $key = str_pad($key, 64, chr(0)); 163 164 $ipad = (substr($key, 0, 64) ^ str_repeat(chr(0x36), 64)); 165 $opad = (substr($key, 0, 64) ^ str_repeat(chr(0x5C), 64)); 166 167 return $algo($opad . pack($pack, $algo($ipad . $data))); 168 } 169 endif; 170 150 171 ?> -
wp-includes/pluggable.php
old new 46 46 if ( ! empty($current_user) ) 47 47 return; 48 48 49 if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) || 50 !wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true) ) { 49 if ( ! $user = wp_validate_auth_cookie() ) { 51 50 wp_set_current_user(0); 52 51 return false; 53 52 } 54 53 55 $user_login = $_COOKIE[USER_COOKIE]; 56 wp_set_current_user(0, $user_login); 54 wp_set_current_user($user); 57 55 } 58 56 endif; 59 57 … … 301 299 endif; 302 300 303 301 if ( !function_exists('wp_login') ) : 304 function wp_login($username, $password, $ already_md5= false) {302 function wp_login($username, $password, $deprecated = false) { 305 303 global $wpdb, $error, $current_user; 306 304 307 305 $username = sanitize_user($username); … … 346 344 return false; 347 345 } 348 346 } 347 348 /* 349 349 // If the password is already_md5, it has been double hashed. 350 350 // Otherwise, it is plain text. 351 351 if ( ($already_md5 && $login->user_login == $username && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) { … … 355 355 $pwd = ''; 356 356 return false; 357 357 } 358 */ 359 360 if ( !wp_check_password($password, $login->user_pass) ) { 361 $error = __('<strong>ERROR</strong>: Incorrect password.'); 362 return false; 363 } 364 365 // If using old md5 password, rehash. 366 if ( strlen($login->user_pass) <= 32 ) { 367 $hash = wp_hash_password($password); 368 $wpdb->query("UPDATE $wpdb->users SET user_pass = '$hash', user_activation_key = '' WHERE ID = '$login->ID'"); 369 wp_cache_delete($login->ID, 'users'); 370 } 371 372 return true; 373 358 374 } 359 375 } 360 376 endif; 361 377 378 if ( !function_exists('wp_validate_auth_cookie') ) : 379 function wp_validate_auth_cookie($cookie = '') { 380 if ( empty($cookie) ) { 381 if ( empty($_COOKIE[AUTH_COOKIE]) ) 382 return false; 383 $cookie = $_COOKIE[AUTH_COOKIE]; 384 } 385 386 list($username, $expiration, $hmac) = explode('|', $cookie); 387 388 $expired = $expiration; 389 390 // Allow a grace period for POST and AJAX requests 391 if ( defined('DOING_AJAX') || 'POST' == $_SERVER['REQUEST_METHOD'] ) 392 $expired += 3600; 393 394 if ( $expired < time() ) 395 return false; 396 397 $key = wp_hash($username . $expiration); 398 $hash = hash_hmac('md5', $username . $expiration, $key); 399 400 if ( $hmac != $hash ) 401 return false; 402 403 $user = get_userdatabylogin($username); 404 if ( ! $user ) 405 return false; 406 407 return $user->ID; 408 } 409 endif; 410 411 if ( !function_exists('wp_set_auth_cookie') ) : 412 function wp_set_auth_cookie($user_id, $remember = false) { 413 $user = get_userdata($user_id); 414 415 if ( $remember ) { 416 $expiration = $expire = time() + 1209600; 417 } else { 418 $expiration = time() + 172800; 419 $expire = 0; 420 } 421 422 $key = wp_hash($user->user_login . $expiration); 423 $hash = hash_hmac('md5', $user->user_login . $expiration, $key); 424 425 $cookie = $user->user_login . '|' . $expiration . '|' . $hash; 426 427 setcookie(AUTH_COOKIE, $cookie, $expire, COOKIEPATH, COOKIE_DOMAIN); 428 if ( COOKIEPATH != SITECOOKIEPATH ) 429 setcookie(AUTH_COOKIE, $cookie, $expire, SITECOOKIEPATH, COOKIE_DOMAIN); 430 } 431 endif; 432 433 if ( !function_exists('wp_clear_auth_cookie') ) : 434 function wp_clear_auth_cookie() { 435 setcookie(AUTH_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 436 setcookie(AUTH_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 437 438 // Old cookies 439 setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 440 setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN); 441 setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 442 setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN); 443 } 444 endif; 445 446 362 447 if ( !function_exists('is_user_logged_in') ) : 363 448 function is_user_logged_in() { 364 449 $user = wp_get_current_user(); … … 373 458 if ( !function_exists('auth_redirect') ) : 374 459 function auth_redirect() { 375 460 // Checks if a user is logged in, if not redirects them to the login page 376 if ( (!empty($_COOKIE[ USER_COOKIE]) &&377 !wp_ login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) ||378 (empty($_COOKIE[ USER_COOKIE])) ) {461 if ( (!empty($_COOKIE[AUTH_COOKIE]) && 462 !wp_validate_auth_cookie($_COOKIE[AUTH_COOKIE])) || 463 (empty($_COOKIE[AUTH_COOKIE])) ) { 379 464 nocache_headers(); 380 465 wp_clearcookie(); 381 466 … … 399 484 400 485 if ( !function_exists('check_ajax_referer') ) : 401 486 function check_ajax_referer() { 402 $current_ name= '';487 $current_id = ''; 403 488 if ( ( $current = wp_get_current_user() ) && $current->ID ) 404 $current_ name = $current->data->user_login;405 if ( !$current_ name)489 $current_id = $current->ID; 490 if ( !$current_id ) 406 491 die('-1'); 407 492 493 $auth_cookie = ''; 408 494 $cookie = explode('; ', urldecode(empty($_POST['cookie']) ? $_GET['cookie'] : $_POST['cookie'])); // AJAX scripts must pass cookie=document.cookie 409 495 foreach ( $cookie as $tasty ) { 410 if ( false !== strpos($tasty, USER_COOKIE) ) 411 $user = substr(strstr($tasty, '='), 1); 412 if ( false !== strpos($tasty, PASS_COOKIE) ) 413 $pass = substr(strstr($tasty, '='), 1); 496 if ( false !== strpos($tasty, AUTH_COOKIE) ) 497 $auth_cookie = substr(strstr($tasty, '='), 1); 414 498 } 415 499 416 if ( $current_name != $user || !wp_login( $user, $pass, true) )500 if ( empty($auth_cookie) ) 417 501 die('-1'); 502 503 if ( ! $user_id = wp_validate_auth_cookie( $auth_cookie ) ) 504 die('-1'); 505 506 if ( $current_id != $user_id ) 507 die('-1'); 508 418 509 do_action('check_ajax_referer'); 419 510 } 420 511 endif; … … 493 584 } 494 585 endif; 495 586 496 if ( !function_exists('wp_get_cookie_login') ):497 function wp_get_cookie_login() {498 if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) )499 return false;500 587 501 return array('login' => $_COOKIE[USER_COOKIE], 'password' => $_COOKIE[PASS_COOKIE]);502 }503 504 endif;505 506 if ( !function_exists('wp_setcookie') ) :507 function wp_setcookie($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {508 if ( !$already_md5 )509 $password = md5( md5($password) ); // Double hash the password in the cookie.510 511 if ( empty($home) )512 $cookiepath = COOKIEPATH;513 else514 $cookiepath = preg_replace('|https?://[^/]+|i', '', $home . '/' );515 516 if ( empty($siteurl) ) {517 $sitecookiepath = SITECOOKIEPATH;518 $cookiehash = COOKIEHASH;519 } else {520 $sitecookiepath = preg_replace('|https?://[^/]+|i', '', $siteurl . '/' );521 $cookiehash = md5($siteurl);522 }523 524 if ( $remember )525 $expire = time() + 31536000;526 else527 $expire = 0;528 529 setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN);530 setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);531 532 if ( $cookiepath != $sitecookiepath ) {533 setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN);534 setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);535 }536 }537 endif;538 539 if ( !function_exists('wp_clearcookie') ) :540 function wp_clearcookie() {541 setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);542 setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);543 setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);544 setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);545 }546 endif;547 548 588 if ( ! function_exists('wp_notify_postauthor') ) : 549 589 function wp_notify_postauthor($comment_id, $comment_type='') { 550 590 global $wpdb; … … 712 752 713 753 if ( !function_exists('wp_salt') ) : 714 754 function wp_salt() { 755 if ( defined('SECRET_KEY') && '' != SECRET_KEY ) 756 return SECRET_KEY; 757 715 758 $salt = get_option('secret'); 716 if ( empty($salt) ) 717 $salt = DB_PASSWORD . DB_USER . DB_NAME . DB_HOST . ABSPATH; 759 if ( empty($salt) ) { 760 $salt = wp_generate_password(); 761 update_option('secret', $salt); 762 } 718 763 719 764 return $salt; 720 765 } … … 732 777 } 733 778 endif; 734 779 780 if ( !function_exists('wp_hash_password') ) : 781 function wp_hash_password($password) { 782 global $wp_hasher; 783 784 if ( empty($wp_hasher) ) { 785 require_once( ABSPATH . 'wp-includes/class-phpass.php'); 786 // By default, use the portable hash from phpass 787 $wp_hasher = new PasswordHash(8, TRUE); 788 } 789 790 return $wp_hasher->HashPassword($password); 791 } 792 endif; 793 794 795 if ( !function_exists('wp_check_password') ) : 796 function wp_check_password($password, $hash) { 797 global $wp_hasher; 798 799 if ( strlen($hash) <= 32 ) 800 return ( $hash == md5($password) ); 801 802 // If the stored hash is longer than an MD5, presume the 803 // new style phpass portable hash. 804 if ( empty($wp_hasher) ) { 805 require_once( ABSPATH . 'wp-includes/class-phpass.php'); 806 // By default, use the portable hash from phpass 807 $wp_hasher = new PasswordHash(8, TRUE); 808 } 809 810 return $wp_hasher->CheckPassword($password, $hash); 811 } 812 endif; 813 814 815 // Deprecated. Use wp_set_auth_cookie() 816 if ( !function_exists('wp_setcookie') ) : 817 function wp_setcookie($username, $password = '', $already_md5 = false, $home = '', $siteurl = '', $remember = false) { 818 $user = get_userdatabylogin($username); 819 wp_set_auth_cookie($user->ID, $remember); 820 } 821 endif; 822 823 // Deprecated. Use wp_clear_auth_cookie() 824 if ( !function_exists('wp_clearcookie') ) : 825 function wp_clearcookie() { 826 wp_clear_auth_cookie(); 827 } 828 endif; 829 830 // Deprecated. No alternative. 831 if ( !function_exists('wp_get_cookie_login') ): 832 function wp_get_cookie_login() { 833 return false; 834 } 835 endif; 836 837 735 838 ?> -
wp-includes/registration.php
old new 54 54 } else { 55 55 $update = false; 56 56 // Password is not hashed when creating new user. 57 $user_pass = md5($user_pass);57 $user_pass = wp_hash_password($user_pass); 58 58 } 59 59 60 60 $user_login = sanitize_user($user_login, true); … … 163 163 // If password is changing, hash it now. 164 164 if ( ! empty($userdata['user_pass']) ) { 165 165 $plaintext_pass = $userdata['user_pass']; 166 $userdata['user_pass'] = md5($userdata['user_pass']);166 $userdata['user_pass'] = wp_hash_password($userdata['user_pass']); 167 167 } 168 168 169 169 // Merge old and new fields with new fields overwriting old ones. … … 174 174 $current_user = wp_get_current_user(); 175 175 if ( $current_user->id == $ID ) { 176 176 if ( isset($plaintext_pass) ) { 177 wp_clear cookie();178 wp_set cookie($userdata['user_login'], $plaintext_pass);177 wp_clear_auth_cookie(); 178 wp_set_auth_cookie($ID); 179 179 } 180 180 } 181 181 -
wp-includes/user.php
old new 21 21 } else { 22 22 $userdata = $cache_userdata[$user_login]; 23 23 } 24 return ( md5($user_pass) == $userdata->user_pass);24 return (wp_hash_password($user_pass) == $userdata->user_pass); 25 25 } 26 26 27 27 // -
wp-config-sample.php
old new 7 7 define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value 8 8 define('DB_CHARSET', 'utf8'); 9 9 define('DB_COLLATE', ''); 10 define('SECRET_KEY', ''); // Change this to a unique phrase. 10 11 define('VHOST', 'VHOSTSETTING'); 11 12 $base = 'BASE'; 12 13 -
wp-settings.php
old new 284 284 endif; 285 285 286 286 if ( !defined('USER_COOKIE') ) 287 define('USER_COOKIE', 'wordpressuser ');287 define('USER_COOKIE', 'wordpressuser_' . COOKIEHASH); 288 288 if ( !defined('PASS_COOKIE') ) 289 define('PASS_COOKIE', 'wordpresspass'); 289 define('PASS_COOKIE', 'wordpresspass_' . COOKIEHASH); 290 if ( !defined('AUTH_COOKIE') ) 291 define('AUTH_COOKIE', 'wordpress_' . COOKIEHASH); 290 292 if ( !defined('COOKIEPATH') ) 291 293 define('COOKIEPATH', $current_site->path ); 292 294 if ( !defined('SITECOOKIEPATH') ) -
wp-admin/includes/misc.php
old new 129 129 update_option( 'recently_edited', $oldfiles ); 130 130 } 131 131 132 // If siteurl or home changed, reset cookies andflush rewrite rules.132 // If siteurl or home changed, flush rewrite rules. 133 133 function update_home_siteurl( $old_value, $value ) { 134 134 global $wp_rewrite, $user_login, $user_pass_md5; 135 135 … … 138 138 139 139 // If home changed, write rewrite rules to new location. 140 140 $wp_rewrite->flush_rules(); 141 // Clear cookies for old paths.142 wp_clearcookie();143 // Set cookies for new paths.144 wp_setcookie( $user_login, $user_pass_md5, true, get_option( 'home' ), get_option( 'siteurl' ));145 141 } 146 142 147 143 add_action( 'update_option_home', 'update_home_siteurl', 10, 2 );
