Users: prevent saving empty passwords, trim space from password ends on save.

Fix an issue where users could save a password with only spaces, or spaces at the beginning or end of their password, preventing them from logging in. Props ronakganatra, 1naveengiri, ajensen, oolleegg55, bookdude13, nrqsnchz, aristath. Fixes #42766. git-svn-id: https://develop.svn.wordpress.org/trunk@49118 602fd350-edb4-49c9-b593-d223f7449a82
2020-10-10 16:49:35 +00:00 · 2020-10-10 16:49:35 +00:00 · 4f3c9c1f30
commit 4f3c9c1f30
parent ac0e283045
3 changed files with 16 additions and 3 deletions
--- a/src/js/_enqueues/admin/user-profile.js
+++ b/src/js/_enqueues/admin/user-profile.js
@ -215,7 +215,7 @@
 		var pass1 = $('#pass1').val(), strength;

 		$('#pass-strength-result').removeClass('short bad good strong empty');
-		if ( ! pass1 ) {
+		if ( ! pass1 || '' ===  pass1.trim() ) {
 			$( '#pass-strength-result' ).addClass( 'empty' ).html( '&nbsp;' );
 			return;
 		}
--- a/src/wp-admin/includes/user.php
+++ b/src/wp-admin/includes/user.php
@ -47,10 +47,10 @@ function edit_user( $user_id = 0 ) {
 	$pass1 = '';
 	$pass2 = '';
 	if ( isset( $_POST['pass1'] ) ) {
-		$pass1 = $_POST['pass1'];
+		$pass1 = trim( $_POST['pass1'] );
 	}
 	if ( isset( $_POST['pass2'] ) ) {
-		$pass2 = $_POST['pass2'];
+		$pass2 = trim( $_POST['pass2'] );
 	}

 	if ( isset( $_POST['role'] ) && current_user_can( 'promote_users' ) && ( ! $user_id || current_user_can( 'promote_user', $user_id ) ) ) {
--- a/tests/phpunit/tests/user.php
+++ b/tests/phpunit/tests/user.php
@ -1451,6 +1451,7 @@ class Tests_User extends WP_UnitTestCase {
 	 * Checks that calling edit_user() with no password returns an error when adding, and doesn't when updating.
 	 *
 	 * @ticket 35715
+	 * @ticket 42766
 	 */
 	function test_edit_user_blank_pw() {
 		$_POST                 = array();
@ -1491,6 +1492,18 @@ class Tests_User extends WP_UnitTestCase {
 		$this->assertInternalType( 'int', $user_id );
 		$this->assertSame( 'nickname_updated', $user->nickname );

+		// Check not to change an old password if a new password contains only spaces. Ticket #42766
+		$user           = get_user_by( 'ID', $user_id );
+		$old_pass       = $user->user_pass;
+		$_POST['pass2'] = '  ';
+		$_POST['pass1'] = '  ';
+
+		$user_id = edit_user( $user_id );
+		$user    = get_user_by( 'ID', $user_id );
+
+		$this->assertInternalType( 'int', $user_id );
+		$this->assertEquals( $old_pass, $user->user_pass );
+
 		// Check updating user with missing second password.
 		$_POST['nickname'] = 'nickname_updated2';
 		$_POST['pass1']    = 'blank_pass2';