diff --git a/wp-includes/class-phpass.php b/wp-includes/class-phpass.php index 055925b20f..f8f659648e 100644 --- a/wp-includes/class-phpass.php +++ b/wp-includes/class-phpass.php @@ -10,7 +10,7 @@ # # Portable PHP password hashing framework. # -# Version 0.5 / WordPress. +# Version 0.5.4 / WordPress. # # Written by Solar Designer in 2004-2006 and placed in # the public domain. Revised in subsequent years, still public domain. @@ -51,15 +51,17 @@ class PasswordHash { { $this->itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'; - if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) + if ($iteration_count_log2 < 4 || $iteration_count_log2 > 31) { $iteration_count_log2 = 8; + } $this->iteration_count_log2 = $iteration_count_log2; $this->portable_hashes = $portable_hashes; $this->random_state = microtime(); - if (function_exists('getmypid')) + if (function_exists('getmypid')) { $this->random_state .= getmypid(); + } } function PasswordHash($iteration_count_log2, $portable_hashes) @@ -96,16 +98,20 @@ class PasswordHash { do { $value = ord($input[$i++]); $output .= $this->itoa64[$value & 0x3f]; - if ($i < $count) + if ($i < $count) { $value |= ord($input[$i]) << 8; + } $output .= $this->itoa64[($value >> 6) & 0x3f]; - if ($i++ >= $count) + if ($i++ >= $count) { break; - if ($i < $count) + } + if ($i < $count) { $value |= ord($input[$i]) << 16; + } $output .= $this->itoa64[($value >> 12) & 0x3f]; - if ($i++ >= $count) + if ($i++ >= $count) { break; + } $output .= $this->itoa64[($value >> 18) & 0x3f]; } while ($i < $count); @@ -115,8 +121,8 @@ class PasswordHash { function gensalt_private($input) { $output = '$P$'; - $output .= $this->itoa64[min($this->iteration_count_log2 + - ((PHP_VERSION >= '5') ? 5 : 3), 30)]; + $output .= $this->itoa64[min($this->iteration_count_log2 + 5, + 30)]; $output .= $this->encode64($input, 6); return $output; @@ -125,23 +131,27 @@ class PasswordHash { function crypt_private($password, $setting) { $output = '*0'; - if (substr($setting, 0, 2) === $output) + if (substr($setting, 0, 2) === $output) { $output = '*1'; + } $id = substr($setting, 0, 3); # We use "$P$", phpBB3 uses "$H$" for the same thing - if ($id !== '$P$' && $id !== '$H$') + if ($id !== '$P$' && $id !== '$H$') { return $output; + } $count_log2 = strpos($this->itoa64, $setting[3]); - if ($count_log2 < 7 || $count_log2 > 30) + if ($count_log2 < 7 || $count_log2 > 30) { return $output; + } $count = 1 << $count_log2; $salt = substr($setting, 4, 8); - if (strlen($salt) !== 8) + if (strlen($salt) !== 8) { return $output; + } # We were kind of forced to use MD5 here since it's the only # cryptographic primitive that was available in all versions @@ -174,7 +184,7 @@ class PasswordHash { $output = '$2a$'; $output .= chr((int)(ord('0') + $this->iteration_count_log2 / 10)); - $output .= chr((ord('0') + $this->iteration_count_log2 % 10)); + $output .= chr(ord('0') + $this->iteration_count_log2 % 10); $output .= '$'; $i = 0; @@ -213,17 +223,20 @@ class PasswordHash { $random = $this->get_random_bytes(16); $hash = crypt($password, $this->gensalt_blowfish($random)); - if (strlen($hash) === 60) + if (strlen($hash) === 60) { return $hash; + } } - if (strlen($random) < 6) + if (strlen($random) < 6) { $random = $this->get_random_bytes(6); + } $hash = $this->crypt_private($password, $this->gensalt_private($random)); - if (strlen($hash) === 34) + if (strlen($hash) === 34) { return $hash; + } # Returning '*' on error is safe here, but would _not_ be safe # in a crypt(3)-like function used _both_ for generating new @@ -238,8 +251,9 @@ class PasswordHash { } $hash = $this->crypt_private($password, $stored_hash); - if ($hash[0] === '*') + if ($hash[0] === '*') { $hash = crypt($password, $stored_hash); + } # This is not constant-time. In order to keep the code simple, # for timing safety we currently rely on the salts being diff --git a/wp-includes/version.php b/wp-includes/version.php index ea579c8f67..3e5f715016 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.7-alpha-59029'; +$wp_version = '6.7-alpha-59030'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.