From a742b270ff996ef0b14063113cf8ebe11e4cbcf1 Mon Sep 17 00:00:00 2001
From: Peter Wilson <peterwilsoncc@git.wordpress.org>
Date: Tue, 5 Apr 2022 03:25:38 +0000
Subject: [PATCH] Login, Registration: Prevent password reset to whitespace
 alone.

Prevent users from using the password reset form to set their password to whitespace alone (tabs, spaces). This matches the processing used during the authentication flow, ensuring users do not inadvertently get locked out of their account.

Props antonrinas, swissspidy, voldemortensen, hellofromTonya, henry.wright, costdev.
Fixes #35500.



git-svn-id: https://develop.svn.wordpress.org/trunk@53067 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-login.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/wp-login.php b/src/wp-login.php
index 45c207d81a..781f8b246f 100644
--- a/src/wp-login.php
+++ b/src/wp-login.php
@@ -904,7 +904,17 @@ switch ( $action ) {
 
 		$errors = new WP_Error();
 
-		if ( isset( $_POST['pass1'] ) && $_POST['pass1'] !== $_POST['pass2'] ) {
+		// Check if password is one or all empty spaces.
+		if ( ! empty( $_POST['pass1'] ) ) {
+			$_POST['pass1'] = trim( $_POST['pass1'] );
+
+			if ( empty( $_POST['pass1'] ) ) {
+	  			$errors->add( 'password_reset_empty_space', __( 'The password cannot be a space or all spaces.' ) );
+			}
+  		}
+
+		// Check if password fields do not match.
+		if ( ! empty( $_POST['pass1'] ) && $_POST['pass1'] !== trim( $_POST['pass2'] ) ) {
 			$errors->add( 'password_reset_mismatch', __( '<strong>Error</strong>: The passwords do not match.' ) );
 		}