From d4f060b2163d9a63414312748c0dc4a15ec8865e Mon Sep 17 00:00:00 2001 From: Peter Wilson Date: Tue, 5 Apr 2022 03:27:03 +0000 Subject: [PATCH] Login, Registration: Prevent password reset to whitespace alone. Prevent users from using the password reset form to set their password to whitespace alone (tabs, spaces). This matches the processing used during the authentication flow, ensuring users do not inadvertently get locked out of their account. Props antonrinas, swissspidy, voldemortensen, hellofromTonya, henry.wright, costdev. Fixes #35500. Built from https://develop.svn.wordpress.org/trunk@53067 git-svn-id: http://core.svn.wordpress.org/trunk@52656 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/version.php | 2 +- wp-login.php | 12 +++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/wp-includes/version.php b/wp-includes/version.php index 407c963bbd..972825a931 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.0-alpha-53066'; +$wp_version = '6.0-alpha-53067'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema. diff --git a/wp-login.php b/wp-login.php index 45c207d81a..781f8b246f 100644 --- a/wp-login.php +++ b/wp-login.php @@ -904,7 +904,17 @@ switch ( $action ) { $errors = new WP_Error(); - if ( isset( $_POST['pass1'] ) && $_POST['pass1'] !== $_POST['pass2'] ) { + // Check if password is one or all empty spaces. + if ( ! empty( $_POST['pass1'] ) ) { + $_POST['pass1'] = trim( $_POST['pass1'] ); + + if ( empty( $_POST['pass1'] ) ) { + $errors->add( 'password_reset_empty_space', __( 'The password cannot be a space or all spaces.' ) ); + } + } + + // Check if password fields do not match. + if ( ! empty( $_POST['pass1'] ) && $_POST['pass1'] !== trim( $_POST['pass2'] ) ) { $errors->add( 'password_reset_mismatch', __( 'Error: The passwords do not match.' ) ); }