From 0dfe24e69b09251c41a92248ebde38ebb73978dc Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Tue, 14 Feb 2012 18:29:22 +0000
Subject: [PATCH] Set post password cookies via an action in wp-login.php.
 Retire wp-pass.php (one less root file). Obey login ssl preferences for post
 password form submission. Props SergeyBiryukov. fixes #19798

git-svn-id: http://svn.automattic.com/wordpress/trunk@19925 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/post-template.php |  2 +-
 wp-login.php                  | 17 ++++++++++++++++-
 wp-pass.php                   | 22 ----------------------
 3 files changed, 17 insertions(+), 24 deletions(-)
 delete mode 100644 wp-pass.php

diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php
index 67b6c5083..3eed04df4 100644
--- a/wp-includes/post-template.php
+++ b/wp-includes/post-template.php
@@ -1220,7 +1220,7 @@ function prepend_attachment($content) {
 function get_the_password_form() {
 	global $post;
 	$label = 'pwbox-' . ( empty($post->ID) ? rand() : $post->ID );
-	$output = '<form action="' . site_url('wp-pass.php') . '" method="post">
+	$output = '<form action="' . esc_url( site_url( 'wp-login.php?action=postpass', 'login_post' ) ) . '" method="post">
 	<p>' . __("This post is password protected. To view it please enter your password below:") . '</p>
 	<p><label for="' . $label . '">' . __("Password:") . ' <input name="post_password" id="' . $label . '" type="password" size="20" /></label> <input type="submit" name="Submit" value="' . esc_attr__("Submit") . '" /></p>
 	</form>
diff --git a/wp-login.php b/wp-login.php
index 5a9d6dbdb..dd62918ac 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -350,7 +350,7 @@ if ( isset($_GET['key']) )
 	$action = 'resetpass';
 
 // validate action so as to default to the login screen
-if ( !in_array($action, array('logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login'), true) && false === has_filter('login_form_' . $action) )
+if ( !in_array( $action, array( 'postpass', 'logout', 'lostpassword', 'retrievepassword', 'resetpass', 'rp', 'register', 'login' ), true ) && false === has_filter( 'login_form_' . $action ) )
 	$action = 'login';
 
 nocache_headers();
@@ -378,6 +378,21 @@ do_action( 'login_form_' . $action );
 $http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
 switch ($action) {
 
+case 'postpass' :
+	if ( empty( $wp_hasher ) ) {
+		require_once( ABSPATH . 'wp-includes/class-phpass.php' );
+		// By default, use the portable hash from phpass
+		$wp_hasher = new PasswordHash(8, true);
+	}
+
+	// 10 days
+	setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 864000, COOKIEPATH );
+
+	wp_safe_redirect( wp_get_referer() );
+	exit();
+
+break;
+
 case 'logout' :
 	check_admin_referer('log-out');
 	wp_logout();
diff --git a/wp-pass.php b/wp-pass.php
deleted file mode 100644
index 39ac44874..000000000
--- a/wp-pass.php
+++ /dev/null
@@ -1,22 +0,0 @@
-<?php
-/**
- * Creates the password cookie and redirects back to where the
- * visitor was before.
- *
- * @package WordPress
- */
-
-/** Make sure that the WordPress bootstrap has run before continuing. */
-require( dirname( __FILE__ ) . '/wp-load.php');
-
-if ( empty( $wp_hasher ) ) {
-	require_once( ABSPATH . 'wp-includes/class-phpass.php');
-	// By default, use the portable hash from phpass
-	$wp_hasher = new PasswordHash(8, true);
-}
-
-// 10 days
-setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 864000, COOKIEPATH );
-
-wp_safe_redirect( wp_get_referer() );
-exit;