Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix/31582 special characters in password on checkout page lead to not working account #43777

Merged
merged 12 commits into from
Jan 31, 2024
Merged

Fix/31582 special characters in password on checkout page lead to not working account #43777

merged 12 commits into from
Jan 31, 2024

Conversation

wavvves
Copy link
Contributor

@wavvves wavvves commented Jan 18, 2024

Submission Review Guidelines:

Changes proposed in this Pull Request:

This PR introduces wp_slash() on $_POST['password'] to mimic the behavior of default account creation on registration during checkout via submitting a password.
On the default account creation, passwords are being slashed before encryption. Lack of this step would prevent a new user from subsequently logging in after creating an account during checkout while submitting the correct password

Closes #31582 .

How to test the changes in this Pull Request:

Using the WooCommerce Testing Instructions Guide, include your detailed testing instructions:

image
  1. Set up WooCommerce using the settings from the above printscreen on /wp-admin/admin.php?page=wc-settings&tab=account
  2. On an incognito browser window, place an order using the shortcode checkout page, and create a new account while doing it using a password containing the " character
  3. Go to My Account, log out, and try to log back in using the new user credentials
  4. Verify that the login process was done successfully

Changelog entry

  • Automatically create a changelog entry from the details below.

Significance

  • Patch
  • Minor
  • Major

Type

  • Fix - Fixes an existing bug
  • Add - Adds functionality
  • Update - Update existing functionality
  • Dev - Development related task
  • Tweak - A minor adjustment to the codebase
  • Performance - Address performance issues
  • Enhancement - Improvement to existing functionality

Message

Comment

@wavvves wavvves self-assigned this Jan 18, 2024
@wavvves wavvves linked an issue Jan 18, 2024 that may be closed by this pull request
Special characters in password on checkout page lead to not working account #31582
Closed
5 tasks
@woocommercebot woocommercebot requested review from a team and tarunvijwani and removed request for a team January 18, 2024 10:56
@github-actions github-actions bot added the plugin: woocommerce Issues related to the WooCommerce Core plugin. label Jan 18, 2024
@wavvves wavvves added type: bug The issue is a confirmed bug. and removed plugin: woocommerce Issues related to the WooCommerce Core plugin. labels Jan 18, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 18, 2024
edited
Loading

Hi @mikejolley, @tarunvijwani,

Apart from reviewing the code changes, please make sure to review the testing instructions as well.

You can follow this guide to find out what good testing instructions should look like:
https://github.com/woocommerce/woocommerce/wiki/Writing-high-quality-testing-instructions

@wavvves wavvves added focus: checkout Issues related to checkout page. focus: my account Issues related to my account page. labels Jan 18, 2024
@github-actions github-actions bot added the plugin: woocommerce Issues related to the WooCommerce Core plugin. label Jan 18, 2024
@wavvves wavvves requested review from mikejolley and removed request for tarunvijwani January 18, 2024 10:59
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 18, 2024
edited
Loading

Test Results Summary

Commit SHA: 72c4a64

Test 🧪Passed ✅Failed 🚨Broken 🚧Skipped ⏭️Unknown ❔Total 📊Duration ⏱️
API Tests25900202610m 39s
E2E Tests281001802996m 43s
To view the full API test report, click here.
To view the full E2E test report, click here.
To view all test reports, visit the WooCommerce Test Reports Dashboard.

mikejolley
mikejolley requested changes Jan 18, 2024
View reviewed changes
Copy link
Member

@mikejolley mikejolley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this covers all use cases. I understand its targeting shortcode checkout, but wc_create_new_customer is used in several places across the codebase.

Do you think we should move this change within wc_create_new_customer? And does this need some kind of test in place to confirm behaviour and avoid future regressions?

Additionally, does this code assume the POST variable was unslashed already? Is that the case everywhere wc_create_new_customer is used?

plugins/woocommerce/includes/class-wc-checkout.php Outdated Show resolved Hide resolved
@wavvves
Copy link
Contributor Author

wavvves commented Jan 18, 2024
edited
Loading

I'm not sure this covers all use cases. I understand its targeting shortcode checkout, but wc_create_new_customer is used in several places across the codebase.

Do you think we should move this change within wc_create_new_customer? And does this need some kind of test in place to confirm behaviour and avoid future regressions?

Additionally, does this code assume the POST variable was unslashed already? Is that the case everywhere wc_create_new_customer is used?

It took a while to debug this; on the default account registration, the password arrives slashed to wc_create_new_customer, whereas here, it is not. Actually, it seems that the password is always encrypted after slashing. Using unslashed data should not be a problem since any malicious payload is destroyed after encryption. Still, I strongly think we should keep encrypting slashed passwords, as changing that function seems to have a higher risk of breaking all logins.

I wouldn't test for this behaviour, I would rather do E2E tests that does guest checkout with account creation, check everything works and includes a check that logs in with supplied credentials after. That can be done in a separate issue, let me check what E2E tests are already in place regarding this ;)

@mikejolley
Copy link
Member

Ok, but can we at least track where the unslash is happening @wavvves? I cannot see it happening when wc_create_new_customer is called. It would be useful to confirm where the unslash first happens so it can be documented clearly in the code why the slash is needed. Or we can remove the unslash at source.

wavvves
wavvves commented Jan 29, 2024
View reviewed changes
plugins/woocommerce/includes/class-wc-checkout.php
@@ -783,6 +783,9 @@ public function get_posted_data() {
$value = wc_sanitize_textarea( $value );
break;
case 'password':
if ( $data[ 'createaccount' ] && 'account_password' === $key ) {
$value = wp_slash( $value ); // Passwords are encrypted with slashes on account creation, so we need to slash here too.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, but can we at least track where the unslash is happening @wavvves? I cannot see it happening when wc_create_new_customer is called. It would be useful to confirm where the unslash first happens so it can be documented clearly in the code why the slash is needed. Or we can remove the unslash at source.

@mikejolley unslashing is being done here on L767. Instead of adding an exception there I think it would be more readable and self-contained to be re-slashed on the switch. The tiny performance hit of just avoiding unslashing can be neglected IMO.
What do you think?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mikejolley Here is the direct link to it: https://github.com/woocommerce/woocommerce/blob/trunk/plugins/woocommerce/includes/class-wc-checkout.php#L767

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense.

mikejolley
mikejolley approved these changes Jan 31, 2024
View reviewed changes
Copy link
Member

@mikejolley mikejolley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests ok. Thanks for investigating.

@wavvves wavvves merged commit 1e81575 into trunk Jan 31, 2024
38 checks passed
@wavvves wavvves deleted the fix/31582-special-characters-in-password-on-checkout-page-lead-to-not-working-account branch January 31, 2024 09:36
@github-actions github-actions bot added this to the 8.7.0 milestone Jan 31, 2024
@github-actions github-actions bot added the needs: analysis Indicates if the PR requires a PR testing scrub session. label Jan 31, 2024
@nigeljamesstevenson nigeljamesstevenson added needs: internal testing Indicates if the PR requires further testing conducted by Solaris status: analysis complete Indicates if a PR has been analysed by Solaris and removed needs: analysis Indicates if the PR requires a PR testing scrub session. labels Jan 31, 2024
thealexandrelara pushed a commit that referenced this pull request Feb 1, 2024
@wavvves @thealexandrelara
Fix/31582 special characters in password on checkout page lead to not…
41bfebe 
… working account (#43777)

* Fix registration during checkout

* Added changelog.

* Moved changelog.

* Added correct spacing

* Move password slashing into WC_Checkout:get_posted_data()

* Lint fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mikejolley mikejolley mikejolley approved these changes

@tarunvijwani tarunvijwani Awaiting requested review from tarunvijwani

Assignees

@tarunvijwani tarunvijwani

@wavvves wavvves

Labels
focus: checkout Issues related to checkout page. focus: my account Issues related to my account page. needs: internal testing Indicates if the PR requires further testing conducted by Solaris plugin: woocommerce Issues related to the WooCommerce Core plugin. status: analysis complete Indicates if a PR has been analysed by Solaris type: bug The issue is a confirmed bug.
Projects
None yet
Milestone
8.7.0
Development

Successfully merging this pull request may close these issues.

Special characters in password on checkout page lead to not working account
4 participants
@wavvves @mikejolley @tarunvijwani @nigeljamesstevenson