Users: when passing a `WP_User` instance to `wp_update_user()`, ensure that the user password is not accidentally double-hashed. This is terrifying.
Adds unit tests. Props tbcorr, salcode. Fixes #28435. git-svn-id: https://develop.svn.wordpress.org/trunk@35116 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
parent
4a2184d00c
commit
34cb01e2f1
|
@ -1602,7 +1602,7 @@ function wp_update_user($userdata) {
|
||||||
// Escape data pulled from DB.
|
// Escape data pulled from DB.
|
||||||
$user = add_magic_quotes( $user );
|
$user = add_magic_quotes( $user );
|
||||||
|
|
||||||
if ( ! empty($userdata['user_pass']) ) {
|
if ( ! empty( $userdata['user_pass'] ) && $userdata['user_pass'] !== $user_obj->user_pass ) {
|
||||||
// If password is changing, hash it now
|
// If password is changing, hash it now
|
||||||
$plaintext_pass = $userdata['user_pass'];
|
$plaintext_pass = $userdata['user_pass'];
|
||||||
$userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );
|
$userdata['user_pass'] = wp_hash_password( $userdata['user_pass'] );
|
||||||
|
|
|
@ -954,4 +954,18 @@ class Tests_User extends WP_UnitTestCase {
|
||||||
|
|
||||||
wp_new_user_notification( $user, 'this_is_deprecated' );
|
wp_new_user_notification( $user, 'this_is_deprecated' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @ticket 28435
|
||||||
|
*/
|
||||||
|
function test_wp_update_user_no_change_pwd() {
|
||||||
|
$testuserid = 1;
|
||||||
|
$user = get_userdata( $testuserid );
|
||||||
|
$pwd_before = $user->user_pass;
|
||||||
|
wp_update_user( $user );
|
||||||
|
|
||||||
|
// Reload the data
|
||||||
|
$pwd_after = get_userdata( $testuserid )->user_pass;
|
||||||
|
$this->assertEquals( $pwd_before, $pwd_after );
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue