Merge pull request #289 from fjarrett/user-check-password-escape-chars

wp-cli · May 6, 2020 · 1b65952 · 1b65952
2 parents 21c56a7 + e07e595
commit 1b65952
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 2 deletions.
diff --git a/features/user.feature b/features/user.feature
@@ -85,6 +85,28 @@ Feature: Manage WordPress users
       """
     And the return code should be 1
 
+    When I run `wp user create testuser3b testuser3b@example.com --user_pass="test\"user3b's\pass\!"`
+    Then STDOUT should not contain:
+       """
+       Password:
+       """
+
+    # Check password without the `--escape-chars` option.
+    When I try `wp user check-password testuser3b "test\"user3b's\pass\!"`
+    Then STDERR should be:
+      """
+      Warning: Password contains characters that need to be escaped. Please escape them manually or use the `--escape-chars` option.
+      """
+    And the return code should be 1
+
+    # Check password with the `--escape-chars` option.
+    When I try `wp user check-password testuser3b "test\"user3b's\pass\!" --escape-chars`
+    Then the return code should be 0
+
+    # Check password with manually escaped characters.
+    When I try `wp user check-password testuser3b "test\\\"user3b\'s\\\pass\\\!"`
+    Then the return code should be 0
+
   Scenario: Reassigning user posts
     Given a WP multisite install
 

diff --git a/src/User_Command.php b/src/User_Command.php
@@ -1268,6 +1268,9 @@ private function update_msuser_status( $user_ids, $pref, $value ) {
 	 * <user_pass>
 	 * : A string that contains the plain text password for the user.
 	 *
+	 * [--escape-chars]
+	 * : Escape password with `wp_slash()` to mimic the same behavior as `wp-login.php`.
+	 *
 	 * ## EXAMPLES
 	 *
 	 *     # Check whether given credentials are valid; exit status 0 if valid, otherwise 1
@@ -1282,10 +1285,15 @@ private function update_msuser_status( $user_ids, $pref, $value ) {
 	 *
 	 * @subcommand check-password
 	 */
-	public function check_password( $args ) {
+	public function check_password( $args, $assoc_args ) {
+		$escape_chars = Utils\get_flag_value( $assoc_args, 'escape-chars', false );
+
+		if ( ! $escape_chars && wp_slash( wp_unslash( $args[1] ) ) !== $args[1] ) {
+			WP_CLI::warning( 'Password contains characters that need to be escaped. Please escape them manually or use the `--escape-chars` option.' );
+		}
 
 		$user      = $this->fetcher->get_check( $args[0] );
-		$user_pass = $args[1];
+		$user_pass = $escape_chars ? wp_slash( $args[1] ) : $args[1];
 
 		if ( wp_check_password( $user_pass, $user->data->user_pass, $user->ID ) ) {
 			WP_CLI::halt( 0 );