From ed8c96636c16b2ab77ce8e955ed07732969994d4 Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Wed, 11 Jan 2012 16:42:42 +0000
Subject: [PATCH] Hash post password in cookies. fixes #19797

git-svn-id: http://svn.automattic.com/wordpress/trunk@19728 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/post-template.php | 17 ++++++++++++-----
 wp-pass.php                   | 12 +++++++++---
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/wp-includes/post-template.php b/wp-includes/post-template.php
index c5f053d15..a29d62ced 100644
--- a/wp-includes/post-template.php
+++ b/wp-includes/post-template.php
@@ -558,18 +558,25 @@ function get_body_class( $class = '' ) {
  * @return bool false if a password is not required or the correct password cookie is present, true otherwise.
  */
 function post_password_required( $post = null ) {
+	global $wp_hasher;
+
 	$post = get_post($post);
 
-	if ( empty($post->post_password) )
+	if ( empty( $post->post_password ) )
 		return false;
 
-	if ( !isset($_COOKIE['wp-postpass_' . COOKIEHASH]) )
+	if ( ! isset( $_COOKIE['wp-postpass_' . COOKIEHASH] ) )
 		return true;
 
-	if ( stripslashes( $_COOKIE['wp-postpass_' . COOKIEHASH] ) != $post->post_password )
-		return true;
+	if ( empty( $wp_hasher ) ) {
+		require_once( ABSPATH . 'wp-includes/class-phpass.php');
+		// By default, use the portable hash from phpass
+		$wp_hasher = new PasswordHash(8, true);
+	}
 
-	return false;
+	$hash = stripslashes( $_COOKIE[ 'wp-postpass_' . COOKIEHASH ] );
+
+	return ! $wp_hasher->CheckPassword( $post->post_password, $hash );
 }
 
 /**
diff --git a/wp-pass.php b/wp-pass.php
index 6cb2a6d8f..39ac44874 100644
--- a/wp-pass.php
+++ b/wp-pass.php
@@ -7,10 +7,16 @@
  */
 
 /** Make sure that the WordPress bootstrap has run before continuing. */
-require( dirname(__FILE__) . '/wp-load.php');
+require( dirname( __FILE__ ) . '/wp-load.php');
+
+if ( empty( $wp_hasher ) ) {
+	require_once( ABSPATH . 'wp-includes/class-phpass.php');
+	// By default, use the portable hash from phpass
+	$wp_hasher = new PasswordHash(8, true);
+}
 
 // 10 days
-setcookie('wp-postpass_' . COOKIEHASH, stripslashes( $_POST['post_password'] ), time() + 864000, COOKIEPATH);
+setcookie( 'wp-postpass_' . COOKIEHASH, $wp_hasher->HashPassword( stripslashes( $_POST['post_password'] ) ), time() + 864000, COOKIEPATH );
 
-wp_safe_redirect(wp_get_referer());
+wp_safe_redirect( wp_get_referer() );
 exit;