PHPass hashes of quote marks do not validate in WordPress

Skip to first unread message

Zechariah Zimmerman

Apr 10, 2015, 12:40:02 PM4/10/15
Hi, I've been using passlib to generate password hashes for a WordPress install but I've run into an issue. If the password contains a quote mark (either ' or ") the hash will not validate in WordPress. Messing around with it I've found that no hash generated in either PHP or Python will validate in the other language if it contains a quote mark.

I'm generating my hashes like such:
from passlib.hash import phpass


Any ideas why this is happening?

Eli Collins

Apr 11, 2015, 11:54:05 AM4/11/15
This worried me that there was a bug in passlib, so I tracked it down.  Sadly the culprit seems to be that PHP's crazy "magic quotes" feature is mangling your passwords before wordpress hashes them.

Even if it's off in php.ini, wordpress may turn it on per-deployment by calling "wp_magic_quotes()" in wp-settings.php.  It has the effect that a backslash is prepended to all '  " and \ characters in the POST parameter values, and Wordpress happily passes this on to it's phpass implementation without calling php's stripslashes()... so if your password is <<Foo"Bar>>, what actually gets hashed by Wordpress is <<Foo\"Bar>>.  The Wordpress deploy I tested on apparently forbids \ in passwords... so they knew there was something weird, but didn't investigate to much further.  (IMHO this is horrible behavior, as a user whose password contains one of those characters will be unable to log in if the magic quotes setting is changed).

On the python side, if you run your password through...

import re
from passlib.hash import phpass

= re.sub(r"""([\\'"])""", r"\\\1", pwd)
hash = phpass.encrypt(escaped_pwd, rounds=8)

... it should generate a hash that will work in your wordpress deploy.

Going forward, I'll have to think some more about how to handle this in passlib -- whether to just make a note in the documentation, or add some futher code to integrate the above solution in a way that doesn't break existing phpass hashes (e.g. from phpBB3 etc)

- Eli

Zechariah Zimmerman

Apr 13, 2015, 8:28:40 AM4/13/15
That solved the problem. Thanks for the quick and thorough reply.
Reply all
Reply to author
0 new messages