From ef89c31cce98a70099a894cc85eb93b783776936 Mon Sep 17 00:00:00 2001 From: Timothy Jacobs Date: Tue, 21 Feb 2023 15:57:36 +0000 Subject: [PATCH] Recovery Mode: Use PasswordHash API directly when validating keys. Previously, the wp_check_password function was used for validating keys, while the PasswordHash class was used for creating keys. This would prevent Recovery Mode from working on sites that provide a custom implementation for the wp_check_password pluggable function. Props calvinalkan. Fixes #56787. git-svn-id: https://develop.svn.wordpress.org/trunk@55397 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-includes/class-wp-recovery-mode-key-service.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/class-wp-recovery-mode-key-service.php b/src/wp-includes/class-wp-recovery-mode-key-service.php index 5ab0f8c3f9..73713caeb9 100644 --- a/src/wp-includes/class-wp-recovery-mode-key-service.php +++ b/src/wp-includes/class-wp-recovery-mode-key-service.php @@ -85,12 +85,15 @@ final class WP_Recovery_Mode_Key_Service { * * @since 5.2.0 * + * @global PasswordHash $wp_hasher + * * @param string $token The token used when generating the given key. * @param string $key The unhashed key. * @param int $ttl Time in seconds for the key to be valid for. * @return true|WP_Error True on success, error object on failure. */ public function validate_recovery_mode_key( $token, $key, $ttl ) { + global $wp_hasher; $records = $this->get_keys(); @@ -106,7 +109,12 @@ final class WP_Recovery_Mode_Key_Service { return new WP_Error( 'invalid_recovery_key_format', __( 'Invalid recovery key format.' ) ); } - if ( ! wp_check_password( $key, $record['hashed_key'] ) ) { + if ( empty( $wp_hasher ) ) { + require_once ABSPATH . WPINC . '/class-phpass.php'; + $wp_hasher = new PasswordHash( 8, true ); + } + + if ( ! $wp_hasher->CheckPassword( $key, $record['hashed_key'] ) ) { return new WP_Error( 'hash_mismatch', __( 'Invalid recovery key.' ) ); }