Login, Registration: Prevent password reset to whitespace alone.

Prevent users from using the password reset form to set their password to whitespace alone (tabs, spaces). This matches the processing used during the authentication flow, ensuring users do not inadvertently get locked out of their account. Props antonrinas, swissspidy, voldemortensen, hellofromTonya, henry.wright, costdev. Fixes #35500. Built from https://develop.svn.wordpress.org/trunk@53067 git-svn-id: http://core.svn.wordpress.org/trunk@52656 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2022-04-05 03:27:03 +00:00 · 2022-04-05 03:27:03 +00:00 · d4f060b216
parent f908c6e495
commit d4f060b216
2 changed files with 12 additions and 2 deletions
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -16,7 +16,7 @@
 *
 * @global string $wp_version
 */
-$wp_version = '6.0-alpha-53066';
+$wp_version = '6.0-alpha-53067';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
--- a/wp-login.php
+++ b/wp-login.php
@ -904,7 +904,17 @@ switch ( $action ) {

 		$errors = new WP_Error();

-		if ( isset( $_POST['pass1'] ) && $_POST['pass1'] !== $_POST['pass2'] ) {
+		// Check if password is one or all empty spaces.
+		if ( ! empty( $_POST['pass1'] ) ) {
+			$_POST['pass1'] = trim( $_POST['pass1'] );
+
+			if ( empty( $_POST['pass1'] ) ) {
+	  			$errors->add( 'password_reset_empty_space', __( 'The password cannot be a space or all spaces.' ) );
+			}
+  		}
+
+		// Check if password fields do not match.
+		if ( ! empty( $_POST['pass1'] ) && $_POST['pass1'] !== trim( $_POST['pass2'] ) ) {
 			$errors->add( 'password_reset_mismatch', __( '<strong>Error</strong>: The passwords do not match.' ) );
 		}