HostForge-Systems/wordpress
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Application Passwords: Correct the fallback behaviour for application passwords that don't use a generic hash.

Browse Source 
Application passwords that aren't hashed using BLAKE2b should be checked using wp_check_password() rather than assuming they were hashed with phpass. This provides full back compat support for application passwords that were created via an overridden wp_hash_password() function that uses an alternative hashing algorithm.

Reviewed by audrasjb.
Merges [60123] into the 6.8 branch.

Props snicco, debarghyabanerjee, peterwilsoncc, jorbin, johnbillion.

Fixes #63203

Built from https://develop.svn.wordpress.org/branches/6.8@60125


git-svn-id: http://core.svn.wordpress.org/branches/6.8@59461 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
John Blackbourn
2025-04-03 14:38:27 +00:00
parent 2330906e21
commit cc39c68706
3 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
wp-includes/class-wp-application-passwords.php
View File

@@ -502,6 +502,14 @@ class WP_Application_Passwords {
string $password,
string $hash
): bool {
if ( ! str_starts_with( $hash, '$generic$' ) ) {
/*
* If the hash doesn't start with `$generic$`, it is a hash created with `wp_hash_password()`.
* This is the case for application passwords created before 6.8.0.
*/
return wp_check_password( $password, $hash );
}
return wp_verify_fast_hash( $password, $hash );
}
}

4
wp-includes/functions.php
View File

@@ -9150,8 +9150,8 @@ function wp_fast_hash(
* Checks whether a plaintext message matches the hashed value. Used to verify values hashed via wp_fast_hash().
*
* The function uses Sodium to hash the message and compare it to the hashed value. If the hash is not a generic hash,
* the hash is treated as a phpass portable hash in order to provide backward compatibility for application passwords
* which were hashed using phpass prior to WordPress 6.8.0.
* the hash is treated as a phpass portable hash in order to provide backward compatibility for passwords and security
* keys which were hashed using phpass prior to WordPress 6.8.0.
*
* @since 6.8.0
*

2
wp-includes/version.php
View File

@@ -16,7 +16,7 @@
*
* @global string $wp_version
*/
$wp_version = '6.8-RC2-60118';
$wp_version = '6.8-RC2-60125';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.