From 4f3c9c1f3023b680d77d8d865bb276020fee4020 Mon Sep 17 00:00:00 2001
From: Adam Silverstein <adamsilverstein@git.wordpress.org>
Date: Sat, 10 Oct 2020 16:49:35 +0000
Subject: [PATCH] Users: prevent saving empty passwords, trim space from
 password ends on save.

Fix an issue where users could save a password with only spaces, or spaces at the beginning or end of their password, preventing them from logging in.

Props ronakganatra, 1naveengiri, ajensen, oolleegg55, bookdude13, nrqsnchz, aristath.
Fixes #42766.



git-svn-id: https://develop.svn.wordpress.org/trunk@49118 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/js/_enqueues/admin/user-profile.js |  2 +-
 src/wp-admin/includes/user.php         |  4 ++--
 tests/phpunit/tests/user.php           | 13 +++++++++++++
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/src/js/_enqueues/admin/user-profile.js b/src/js/_enqueues/admin/user-profile.js
index b73f2ab5c4..ef3e1afcc9 100644
--- a/src/js/_enqueues/admin/user-profile.js
+++ b/src/js/_enqueues/admin/user-profile.js
@@ -215,7 +215,7 @@
 		var pass1 = $('#pass1').val(), strength;
 
 		$('#pass-strength-result').removeClass('short bad good strong empty');
-		if ( ! pass1 ) {
+		if ( ! pass1 || '' ===  pass1.trim() ) {
 			$( '#pass-strength-result' ).addClass( 'empty' ).html( '&nbsp;' );
 			return;
 		}
diff --git a/src/wp-admin/includes/user.php b/src/wp-admin/includes/user.php
index de7cb989c1..5fbfd9f9b4 100644
--- a/src/wp-admin/includes/user.php
+++ b/src/wp-admin/includes/user.php
@@ -47,10 +47,10 @@ function edit_user( $user_id = 0 ) {
 	$pass1 = '';
 	$pass2 = '';
 	if ( isset( $_POST['pass1'] ) ) {
-		$pass1 = $_POST['pass1'];
+		$pass1 = trim( $_POST['pass1'] );
 	}
 	if ( isset( $_POST['pass2'] ) ) {
-		$pass2 = $_POST['pass2'];
+		$pass2 = trim( $_POST['pass2'] );
 	}
 
 	if ( isset( $_POST['role'] ) && current_user_can( 'promote_users' ) && ( ! $user_id || current_user_can( 'promote_user', $user_id ) ) ) {
diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php
index b9d93325aa..c7a237c4d0 100644
--- a/tests/phpunit/tests/user.php
+++ b/tests/phpunit/tests/user.php
@@ -1451,6 +1451,7 @@ class Tests_User extends WP_UnitTestCase {
 	 * Checks that calling edit_user() with no password returns an error when adding, and doesn't when updating.
 	 *
 	 * @ticket 35715
+	 * @ticket 42766
 	 */
 	function test_edit_user_blank_pw() {
 		$_POST                 = array();
@@ -1491,6 +1492,18 @@ class Tests_User extends WP_UnitTestCase {
 		$this->assertInternalType( 'int', $user_id );
 		$this->assertSame( 'nickname_updated', $user->nickname );
 
+		// Check not to change an old password if a new password contains only spaces. Ticket #42766
+		$user           = get_user_by( 'ID', $user_id );
+		$old_pass       = $user->user_pass;
+		$_POST['pass2'] = '  ';
+		$_POST['pass1'] = '  ';
+
+		$user_id = edit_user( $user_id );
+		$user    = get_user_by( 'ID', $user_id );
+
+		$this->assertInternalType( 'int', $user_id );
+		$this->assertEquals( $old_pass, $user->user_pass );
+
 		// Check updating user with missing second password.
 		$_POST['nickname'] = 'nickname_updated2';
 		$_POST['pass1']    = 'blank_pass2';