Double hash password in cookies.

git-svn-id: https://develop.svn.wordpress.org/trunk@1788 602fd350-edb4-49c9-b593-d223f7449a82
2025-01-18 05:18:42 +01:00 · 2004-10-13 02:21:37 +00:00 · 2004-10-13 02:21:37 +00:00 · 0bee08aace
commit 0bee08aace
parent afe389d930
2 changed files with 4 additions and 2 deletions
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@ -1900,7 +1900,9 @@ function wp_login($username, $password, $already_md5 = false) {
 		$error = __('<strong>Error</strong>: Wrong login.');
 		return false;
 	} else {
-		if ( ($already_md5 && $login->user_login == $username && $login->user_pass == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
+		// If the password is already_md5, it has been double hashed.
+		// Otherwise, it is plain text.
+		if ( ($already_md5 && $login->user_login == $username && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
 			return true;
 		} else {
 			$error = __('<strong>Error</strong>: Incorrect password.');
--- a/wp-login.php
+++ b/wp-login.php
@ -159,7 +159,7 @@ default:
 	if ($log && $pwd) {
 		if ( wp_login($log, $pwd) ) {
 			$user_login = $log;
-			$user_pass = md5($pwd);
+			$user_pass = md5(md5($pwd)); // Double hash the password in the cookie.
 			setcookie('wordpressuser_'. COOKIEHASH, $user_login, time() + 31536000, COOKIEPATH);
 			setcookie('wordpresspass_'. COOKIEHASH, $user_pass, time() + 31536000, COOKIEPATH);