-
Notifications
You must be signed in to change notification settings - Fork 10.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix/31582 special characters in password on checkout page lead to not working account #43777
Fix/31582 special characters in password on checkout page lead to not working account #43777
Conversation
Hi @mikejolley, @tarunvijwani, Apart from reviewing the code changes, please make sure to review the testing instructions as well. You can follow this guide to find out what good testing instructions should look like: |
Test Results SummaryCommit SHA: 72c4a64
To view the full API test report, click here. To view the full E2E test report, click here. To view all test reports, visit the WooCommerce Test Reports Dashboard. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure this covers all use cases. I understand its targeting shortcode checkout, but wc_create_new_customer
is used in several places across the codebase.
Do you think we should move this change within wc_create_new_customer
? And does this need some kind of test in place to confirm behaviour and avoid future regressions?
Additionally, does this code assume the POST variable was unslashed already? Is that the case everywhere wc_create_new_customer
is used?
It took a while to debug this; on the default account registration, the password arrives slashed to I wouldn't test for this behaviour, I would rather do E2E tests that does guest checkout with account creation, check everything works and includes a check that logs in with supplied credentials after. That can be done in a separate issue, let me check what E2E tests are already in place regarding this ;) |
…-checkout-page-lead-to-not-working-account
…-checkout-page-lead-to-not-working-account
Ok, but can we at least track where the unslash is happening @wavvves? I cannot see it happening when |
…-checkout-page-lead-to-not-working-account
…-checkout-page-lead-to-not-working-account
@@ -783,6 +783,9 @@ public function get_posted_data() { | |||
$value = wc_sanitize_textarea( $value ); | |||
break; | |||
case 'password': | |||
if ( $data[ 'createaccount' ] && 'account_password' === $key ) { | |||
$value = wp_slash( $value ); // Passwords are encrypted with slashes on account creation, so we need to slash here too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, but can we at least track where the unslash is happening @wavvves? I cannot see it happening when wc_create_new_customer is called. It would be useful to confirm where the unslash first happens so it can be documented clearly in the code why the slash is needed. Or we can remove the unslash at source.
@mikejolley unslashing is being done here on L767. Instead of adding an exception there I think it would be more readable and self-contained to be re-slashed on the switch. The tiny performance hit of just avoiding unslashing can be neglected IMO.
What do you think?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mikejolley Here is the direct link to it: https://github.com/woocommerce/woocommerce/blob/trunk/plugins/woocommerce/includes/class-wc-checkout.php#L767
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense.
…-checkout-page-lead-to-not-working-account
…-checkout-page-lead-to-not-working-account
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tests ok. Thanks for investigating.
… working account (#43777) * Fix registration during checkout * Added changelog. * Moved changelog. * Added correct spacing * Move password slashing into WC_Checkout:get_posted_data() * Lint fix
Submission Review Guidelines:
Changes proposed in this Pull Request:
This PR introduces
wp_slash()
on$_POST['password']
to mimic the behavior of default account creation on registration during checkout via submitting a password.On the default account creation, passwords are being slashed before encryption. Lack of this step would prevent a new user from subsequently logging in after creating an account during checkout while submitting the correct password
Closes #31582 .
How to test the changes in this Pull Request:
Using the WooCommerce Testing Instructions Guide, include your detailed testing instructions:
/wp-admin/admin.php?page=wc-settings&tab=account
"
characterChangelog entry
Significance
Type
Message
Comment