Hash post password in cookies. fixes #19797

git-svn-id: http://svn.automattic.com/wordpress/trunk@19728 1a063a9b-81f0-0310-95a4-ce76da25c4cd

wp-includes/post-template.php

@@ -558,18 +558,25 @@ function get_body_class( $class = '' ) {
  * @return bool false if a password is not required or the correct password cookie is present, true otherwise.
  */
 function post_password_required( $post = null ) {
+	global $wp_hasher;
+
 	$post = get_post($post);
 
-	if ( empty($post->post_password) )
+	if ( empty( $post->post_password ) )
 		return false;
 
-	if ( !isset($_COOKIE['wp-postpass_' . COOKIEHASH]) )
+	if ( ! isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) )
 		return true;
 
-	if ( stripslashes( $_COOKIE['wp-postpass_' . COOKIEHASH] ) != $post->post_password )
-		return true;
+	if ( empty( $wp_hasher ) ) {
+		require_once( ABSPATH . 'wp-includes/class-phpass.php');
+		// By default, use the portable hash from phpass
+		$wp_hasher = new PasswordHash(8, true);
+	}
 
-	return false;
+	$hash = stripslashes( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
+
+	return ! $wp_hasher->CheckPassword( $post->post_password, $hash );
 }
 
 /**

wp-pass.php

@@ -7,10 +7,16 @@
  */
 
 /** Make sure that the WordPress bootstrap has run before continuing. */
-require( dirname(__FILE__) . '/wp-load.php');
+require( dirname( __FILE__ ) . '/wp-load.php');
+
+if ( empty( $wp_hasher ) ) {
+	require_once( ABSPATH . 'wp-includes/class-phpass.php');
+	// By default, use the portable hash from phpass
+	$wp_hasher = new PasswordHash(8, true);
+}
 
 // 10 days
-setcookie('wp-postpass_' . COOKIEHASH, stripslashes( $_POST['post_password'] ), time() + 864000, COOKIEPATH);
+setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 864000, COOKIEPATH );
 
-wp_safe_redirect(wp_get_referer());
+wp_safe_redirect( wp_get_referer() );
 exit;