Wp-cli: wp core install and wp user check-password don't escape the password.

Created on 6 Sep 2019  路  3Comments  路  Source: wp-cli/wp-cli

Bug Report

Describe the current, buggy behavior

The "core install" and "user check-password" commands don't use wp_slash()
on passwords, as they should, so quotes in passwords will break logins,
but check-password works.

Describe how other contributors can replicate this bug

If you create the site with a double-quote in the password:

$ wp core install [email protected] --url=http://test.test --title='test' --admin_user=test --admin_password='R^^CzY;G"iZ@]H9b,'
$ wp user check-password test 'R^^CzY;G"iZ@]H9b,'
$ echo $?
0

... however logging in with this password via the website will fail.

If you re-set the password:

$ wp user update 1 --user_pass='R^^CzY;G"iZ@]H9b,'
Success: Updated user 1.
$ wp user check-password test 'R^^CzY;G"iZ@]H9b,'
$ echo $?
1

... check-password fails, but the logins now work correctly.

Describe what you expect as the correct outcome

wp core install should cope with quote characters in the password, as
wp user update does. Furthermore, wp user check-password should be
consistent with wp-login.php's behaviour.

Let us know what environment you are running this on

OS: Linux 4.15.0-1040-gcp #42-Ubuntu SMP Wed Aug 7 15:17:54 UTC 2019 x86_64
Shell:  /bin/bash
PHP binary: /usr/bin/php7.3
PHP version:    7.3.4-1+ubuntu16.04.1+deb.sury.org+3
php.ini used:   /etc/php/7.3/cli/php.ini
WP-CLI root dir:    phar://wp-cli.phar/vendor/wp-cli/wp-cli
WP-CLI vendor dir:  phar://wp-cli.phar/vendor
WP_CLI phar path:   /www/aaaquotetest_903/public
WP-CLI packages dir:    
WP-CLI global config:   
WP-CLI project config:  
WP-CLI version: 2.1.0

Provide a possible solution

wp_slash() needs to be added on the passwords in the appropriate places.
I think, at minimum, these are:

https://github.com/wp-cli/core-command/blob/master/src/Core_Command.php#L600
https://github.com/wp-cli/entity-command/blob/master/src/User_Command.php#L1270

Here's the example where wp user update gets it right:

https://github.com/wp-cli/entity-command/blob/master/src/User_Command.php#L524

Here's a thread discussing the issue:

https://wordpress.stackexchange.com/questions/205459/problems-after-wp-set-password-containing-an-apostrophe

Hope that's helpful!

breaking-change bug
Source
picture fwaggle

Most helpful comment

Fixed for check-password via https://github.com/wp-cli/entity-command/pull/289.

Still needed for core install, which might be more of a breaking change...

picture schlessera on 6 May 2020
3

All 3 comments

I think this is the same issue as already reported here: #5089

chesio picture chesio on 27 Sep 2019

Yes, this is a duplicate of #5089, however this contains valuable added information, so closing the old one.

schlessera picture schlessera on 11 Nov 2019

Fixed for check-password via https://github.com/wp-cli/entity-command/pull/289.

Still needed for core install, which might be more of a breaking change...

schlessera picture schlessera on 6 May 2020
3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mirzazeyrek picture mirzazeyrek  路  3Comments
schlessera picture schlessera  路  4Comments
NateWr picture NateWr  路  3Comments
vercotux picture vercotux  路  3Comments
ernilambar picture ernilambar  路  3Comments