vhad/wordpress-develop
1
0
Fork 0
mirror of https://github.com/gosticks/wordpress-develop.git synced 2025-10-16 12:05:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Recovery Mode: Use PasswordHash API directly when validating keys.

Browse Source 
Previously, the wp_check_password function was used for validating keys, while the PasswordHash class was used for creating keys. This would prevent Recovery Mode from working on sites that provide a custom implementation for the wp_check_password pluggable function.

Props calvinalkan.
Fixes #56787.


git-svn-id: https://develop.svn.wordpress.org/trunk@55397 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Timothy Jacobs 2023-02-21 15:57:36 +00:00
parent 683bba1b2d
commit ef89c31cce
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/wp-includes/class-wp-recovery-mode-key-service.php
View File

@ -85,12 +85,15 @@ final class WP_Recovery_Mode_Key_Service {
*
* @since 5.2.0
*
* @global PasswordHash $wp_hasher
*
* @param string $token The token used when generating the given key.
* @param string $key The unhashed key.
* @param int $ttl Time in seconds for the key to be valid for.
* @return true|WP_Error True on success, error object on failure.
*/
public function validate_recovery_mode_key( $token, $key, $ttl ) {
global $wp_hasher;
$records = $this->get_keys();
@ -106,7 +109,12 @@ final class WP_Recovery_Mode_Key_Service {
return new WP_Error( 'invalid_recovery_key_format', __( 'Invalid recovery key format.' ) );
}
if ( ! wp_check_password( $key, $record['hashed_key'] ) ) {
if ( empty( $wp_hasher ) ) {
require_once ABSPATH . WPINC . '/class-phpass.php';
$wp_hasher = new PasswordHash( 8, true );
}
if ( ! $wp_hasher->CheckPassword( $key, $record['hashed_key'] ) ) {
return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) );
}