wp core install and wp user check-password don't escape the password. #5278
Description
Bug Report
- Yes, I reviewed the contribution guidelines.
- Yes, more specifically, I reviewed the guidelines on how to write clear bug reports.
Describe the current, buggy behavior
The "core install" and "user check-password" commands don't use wp_slash()
on passwords, as they should, so quotes in passwords will break logins,
but check-password works.
Describe how other contributors can replicate this bug
If you create the site with a double-quote in the password:
$ wp core install --admin_email=test@test.test --url=http://test.test --title='test' --admin_user=test --admin_password='R^^CzY;G"iZ@]H9b,'
$ wp user check-password test 'R^^CzY;G"iZ@]H9b,'
$ echo $?
0
... however logging in with this password via the website will fail.
If you re-set the password:
$ wp user update 1 --user_pass='R^^CzY;G"iZ@]H9b,'
Success: Updated user 1.
$ wp user check-password test 'R^^CzY;G"iZ@]H9b,'
$ echo $?
1
... check-password fails, but the logins now work correctly.
Describe what you expect as the correct outcome
wp core install should cope with quote characters in the password, as
wp user update does. Furthermore, wp user check-password should be
consistent with wp-login.php's behaviour.
Let us know what environment you are running this on
OS: Linux 4.15.0-1040-gcp #42-Ubuntu SMP Wed Aug 7 15:17:54 UTC 2019 x86_64
Shell: /bin/bash
PHP binary: /usr/bin/php7.3
PHP version: 7.3.4-1+ubuntu16.04.1+deb.sury.org+3
php.ini used: /etc/php/7.3/cli/php.ini
WP-CLI root dir: phar://wp-cli.phar/vendor/wp-cli/wp-cli
WP-CLI vendor dir: phar://wp-cli.phar/vendor
WP_CLI phar path: /www/aaaquotetest_903/public
WP-CLI packages dir:
WP-CLI global config:
WP-CLI project config:
WP-CLI version: 2.1.0
Provide a possible solution
wp_slash() needs to be added on the passwords in the appropriate places.
I think, at minimum, these are:
https://github.com/wp-cli/core-command/blob/master/src/Core_Command.php#L600
https://github.com/wp-cli/entity-command/blob/master/src/User_Command.php#L1270
Here's the example where wp user update gets it right:
https://github.com/wp-cli/entity-command/blob/master/src/User_Command.php#L524
Here's a thread discussing the issue:
Hope that's helpful!