diff --git a/wp-admin/includes/schema.php b/wp-admin/includes/schema.php index bcea77494..04f1973d0 100644 --- a/wp-admin/includes/schema.php +++ b/wp-admin/includes/schema.php @@ -224,7 +224,7 @@ function populate_options() { } // 2.0.3 - add_option('secret', md5(uniqid(microtime()))); + add_option('secret', wp_generate_password()); // 2.1 add_option('blog_public', '1'); diff --git a/wp-admin/includes/upgrade.php b/wp-admin/includes/upgrade.php index e5c0dd42e..334b6115b 100644 --- a/wp-admin/includes/upgrade.php +++ b/wp-admin/includes/upgrade.php @@ -35,7 +35,7 @@ function wp_install($blog_title, $user_name, $user_email, $public, $deprecated=' // being shared among blogs. Just set the role in that case. $user_id = username_exists($user_name); if ( !$user_id ) { - $random_password = substr(md5(uniqid(microtime())), 0, 6); + $random_password = wp_generate_password(); $user_id = wp_create_user($user_name, $random_password, $user_email); } else { $random_password = __('User already exists. Password inherited.'); diff --git a/wp-admin/options-writing.php b/wp-admin/options-writing.php index e8979c454..13f7710b2 100644 --- a/wp-admin/options-writing.php +++ b/wp-admin/options-writing.php @@ -59,7 +59,7 @@ endforeach;
-

%s, %s, %s.'), substr(md5(uniqid(microtime())),0,5), substr(md5(uniqid(microtime())),0,5), substr(md5(uniqid(microtime())),0,5)) ?>

+

%s, %s, %s.'), wp_generate_password(), wp_generate_password(), wp_generate_password()) ?>

@@ -121,4 +121,4 @@ endforeach; - \ No newline at end of file + diff --git a/wp-includes/pluggable.php b/wp-includes/pluggable.php index 6e79f947e..b628e9e7a 100644 --- a/wp-includes/pluggable.php +++ b/wp-includes/pluggable.php @@ -744,4 +744,18 @@ function wp_check_password($password, $hash) { } endif; +if ( !function_exists('wp_generate_password') ) : +/** + * Generates a random password drawn from the defined set of characters + * @return string the password + **/ +function wp_generate_password() { + $chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; + $length = 7; + $password = ''; + for ( $i = 0; $i < $length; $i++ ) + $password .= substr($chars, mt_rand(0, 61), 1); + return $password; +} +endif; ?> diff --git a/wp-login.php b/wp-login.php index 41a56bf8f..645447546 100644 --- a/wp-login.php +++ b/wp-login.php @@ -110,9 +110,9 @@ case 'retrievepassword' : do_action('retreive_password', $user_login); // Misspelled and deprecated do_action('retrieve_password', $user_login); - // Generate something random for a password... md5'ing current time with a rand salt + // Generate something random for a key... $key = substr( md5( uniqid( microtime() ) ), 0, 8); - // Now insert the new pass md5'd into the db + // Now insert the new md5 key into the db $wpdb->query("UPDATE $wpdb->users SET user_activation_key = '$key' WHERE user_login = '$user_login'"); $message = __('Someone has asked to reset the password for the following site and username.') . "\r\n\r\n"; $message .= get_option('siteurl') . "\r\n\r\n"; @@ -182,8 +182,8 @@ case 'rp' : do_action('password_reset'); - // Generate something random for a password... md5'ing current time with a rand salt - $new_pass = substr( md5( uniqid( microtime() ) ), 0, 7); + // Generate something random for a password... + $new_pass = wp_generate_password(); $new_hash = wp_hash_password($new_pass); $wpdb->query("UPDATE $wpdb->users SET user_pass = '$new_hash', user_activation_key = '' WHERE ID = '$user->ID'"); wp_cache_delete($user->ID, 'users'); @@ -241,7 +241,7 @@ case 'register' : $errors = apply_filters( 'registration_errors', $errors ); if ( empty( $errors ) ) { - $user_pass = substr( md5( uniqid( microtime() ) ), 0, 7); + $user_pass = wp_generate_password(); $user_id = wp_create_user( $user_login, $user_pass, $user_email ); if ( !$user_id )