enmi-conf.org: comparison wp/wp-includes/user.php

equal deleted inserted replaced

-:48c4eec2b7e6
+:8c2e4d02f4ef
 			'user_login'    => '',
 			'user_password' => '',
 			'remember'      => false,
 		);
-		if ( ! empty( $_POST['log'] ) ) {
+		if ( ! empty( $_POST['log'] ) && is_string( $_POST['log'] ) ) {
 			$credentials['user_login'] = wp_unslash( $_POST['log'] );
 		}
-		if ( ! empty( $_POST['pwd'] ) ) {
+		if ( ! empty( $_POST['pwd'] ) && is_string( $_POST['pwd'] ) ) {
 			$credentials['user_password'] = $_POST['pwd'];
 		}
 		if ( ! empty( $_POST['rememberme'] ) ) {
 			$credentials['remember'] = $_POST['rememberme'];
 		}
 * @param WP_User|WP_Error|null $user     WP_User or WP_Error object from a previous callback. Default null.
 * @param string                $username Username for authentication.
 * @param string                $password Password for authentication.
 * @return WP_User|WP_Error WP_User on success, WP_Error on failure.
 */
-function wp_authenticate_username_password( $user, $username, $password ) {
+function wp_authenticate_username_password(
+	$user,
+	$username,
+	#[\SensitiveParameter]
+	$password
+) {
 	if ( $user instanceof WP_User ) {
 		return $user;
 	}
 	if ( empty( $username ) || empty( $password ) ) {
 	$user = apply_filters( 'wp_authenticate_user', $user, $password );
 	if ( is_wp_error( $user ) ) {
 		return $user;
 	}
-	if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
+	$valid = wp_check_password( $password, $user->user_pass, $user->ID );
+	if ( ! $valid ) {
 		return new WP_Error(
 			'incorrect_password',
 			sprintf(
 				/* translators: %s: User name. */
 				__( '<strong>Error:</strong> The password you entered for the username %s is incorrect.' ),
 			__( 'Lost your password?' ) .
 			'</a>'
 		);
 	}
+	if ( wp_password_needs_rehash( $user->user_pass, $user->ID ) ) {
+		wp_set_password( $password, $user->ID );
+	}
 	return $user;
 }
 /**
 * Authenticates a user using the email and password.
 *                                        callback failed authentication.
 * @param string                $email    Email address for authentication.
 * @param string                $password Password for authentication.
 * @return WP_User|WP_Error WP_User on success, WP_Error on failure.
 */
-function wp_authenticate_email_password( $user, $email, $password ) {
+function wp_authenticate_email_password(
+	$user,
+	$email,
+	#[\SensitiveParameter]
+	$password
+) {
 	if ( $user instanceof WP_User ) {
 		return $user;
 	}
 	if ( empty( $email ) || empty( $password ) ) {
 	if ( is_wp_error( $user ) ) {
 		return $user;
 	}
-	if ( ! wp_check_password( $password, $user->user_pass, $user->ID ) ) {
+	$valid = wp_check_password( $password, $user->user_pass, $user->ID );
+	if ( ! $valid ) {
 		return new WP_Error(
 			'incorrect_password',
 			sprintf(
 				/* translators: %s: Email address. */
 				__( '<strong>Error:</strong> The password you entered for the email address %s is incorrect.' ),
 			__( 'Lost your password?' ) .
 			'</a>'
 		);
 	}
+	if ( wp_password_needs_rehash( $user->user_pass, $user->ID ) ) {
+		wp_set_password( $password, $user->ID );
+	}
 	return $user;
 }
 /**
 * Authenticates the user using the WordPress auth cookie.
 * @param WP_User|WP_Error|null $user     WP_User or WP_Error object from a previous callback. Default null.
 * @param string                $username Username. If not empty, cancels the cookie authentication.
 * @param string                $password Password. If not empty, cancels the cookie authentication.
 * @return WP_User|WP_Error WP_User on success, WP_Error on failure.
 */
-function wp_authenticate_cookie( $user, $username, $password ) {
+function wp_authenticate_cookie(
+	$user,
+	$username,
+	#[\SensitiveParameter]
+	$password
+) {
 	global $auth_secure_cookie;
 	if ( $user instanceof WP_User ) {
 		return $user;
 	}
 * @param string                $username   Username for authentication.
 * @param string                $password   Password for authentication.
 * @return WP_User|WP_Error|null WP_User on success, WP_Error on failure, null if
 *                               null is passed in and this isn't an API request.
 */
-function wp_authenticate_application_password( $input_user, $username, $password ) {
+function wp_authenticate_application_password(
+	$input_user,
+	$username,
+	#[\SensitiveParameter]
+	$password
+) {
 	if ( $input_user instanceof WP_User ) {
 		return $input_user;
 	}
 	if ( ! WP_Application_Passwords::is_in_use() ) {
 	$password = preg_replace( '/[^a-z\d]/i', '', $password );
 	$hashed_passwords = WP_Application_Passwords::get_user_application_passwords( $user->ID );
 	foreach ( $hashed_passwords as $key => $item ) {
-		if ( ! wp_check_password( $password, $item['password'], $user->ID ) ) {
+		if ( ! WP_Application_Passwords::check_password( $password, $item['password'] ) ) {
 			continue;
 		}
 		$error = new WP_Error();
 * @return string Number of posts the user has written in this post type.
 */
 function count_user_posts( $userid, $post_type = 'post', $public_only = false ) {
 	global $wpdb;
+	$post_type = array_unique( (array) $post_type );
+	sort( $post_type );
 	$where = get_posts_by_author_sql( $post_type, true, $userid, $public_only );
+	$query = "SELECT COUNT(*) FROM $wpdb->posts $where";
-	$count = $wpdb->get_var( "SELECT COUNT(*) FROM $wpdb->posts $where" );
+	$last_changed = wp_cache_get_last_changed( 'posts' );
+	$cache_key    = 'count_user_posts:' . md5( $query ) . ':' . $last_changed;
+	$count        = wp_cache_get( $cache_key, 'post-queries' );
+	if ( false === $count ) {
+		$count = $wpdb->get_var( $query );
+		wp_cache_set( $cache_key, $count, 'post-queries' );
+	}
 	/**
 	 * Filters the number of posts a user has written.
 	 *
 	 * @since 2.7.0
 * @return string[] Amount of posts each user has written, as strings, keyed by user ID.
 */
 function count_many_users_posts( $users, $post_type = 'post', $public_only = false ) {
 	global $wpdb;
-	$count = array();
 	if ( empty( $users ) || ! is_array( $users ) ) {
-		return $count;
+		return array();
+	}
+	/**
+	 * Filters whether to short-circuit performing the post counts.
+	 *
+	 * When filtering, return an array of posts counts as strings, keyed
+	 * by the user ID.
+	 *
+	 * @since 6.8.0
+	 *
+	 * @param string[]|null   $count       The post counts. Return a non-null value to short-circuit.
+	 * @param int[]           $users       Array of user IDs.
+	 * @param string|string[] $post_type   Single post type or array of post types to check.
+	 * @param bool            $public_only Whether to only return counts for public posts.
+	 */
+	$pre = apply_filters( 'pre_count_many_users_posts', null, $users, $post_type, $public_only );
+	if ( null !== $pre ) {
+		return $pre;
 	}
 	$userlist = implode( ',', array_map( 'absint', $users ) );
 	$where    = get_posts_by_author_sql( $post_type, true, null, $public_only );
 	$result = $wpdb->get_results( "SELECT post_author, COUNT(*) FROM $wpdb->posts $where AND post_author IN ($userlist) GROUP BY post_author", ARRAY_N );
+	$count = array_fill_keys( $users, 0 );
 	foreach ( $result as $row ) {
 		$count[ $row[0] ] = $row[1];
-	}
-	foreach ( $users as $id ) {
-		if ( ! isset( $count[ $id ] ) ) {
-			$count[ $id ] = 0;
-		}
 	}
 	return $count;
 }
 	if ( ! $is_global ) {
 		$option_name = $wpdb->get_blog_prefix() . $option_name;
 	}
 	return delete_user_meta( $user_id, $option_name );
+}
+/**
+* Retrieves user info by user ID.
+*
+* @since 6.7.0
+*
+* @param int $user_id User ID.
+*
+* @return WP_User|false WP_User object on success, false on failure.
+*/
+function get_user( $user_id ) {
+	return get_user_by( 'id', $user_id );
 }
 /**
 * Retrieves list of users matching criteria.
 *
 *
 * @since 3.0.0
 *
 * @param int    $user_id    User ID.
 * @param string $meta_key   Metadata name.
-* @param mixed  $meta_value Metadata value. Must be serializable if non-scalar.
+* @param mixed  $meta_value Metadata value. Arrays and objects are stored as serialized data and
+*                           will be returned as the same type when retrieved. Other data types will
+*                           be stored as strings in the database:
+*                           - false is stored and retrieved as an empty string ('')
+*                           - true is stored and retrieved as '1'
+*                           - numbers (both integer and float) are stored and retrieved as strings
+*                           Must be serializable if non-scalar.
 * @param bool   $unique     Optional. Whether the same key should not be added.
 *                           Default false.
 * @return int|false Meta ID on success, false on failure.
 */
 function add_user_meta( $user_id, $meta_key, $meta_value, $unique = false ) {
 *                        This parameter has no effect if `$key` is not specified.
 *                        Default false.
 * @return mixed An array of values if `$single` is false.
 *               The value of meta data field if `$single` is true.
 *               False for an invalid `$user_id` (non-numeric, zero, or negative value).
-*               An empty string if a valid but non-existing user ID is passed.
+*               An empty array if a valid but non-existing user ID is passed and `$single` is false.
+*               An empty string if a valid but non-existing user ID is passed and `$single` is true.
+*               Note: Non-serialized values are returned as strings:
+*               - false values are returned as empty strings ('')
+*               - true values are returned as '1'
+*               - numbers (both integer and float) are returned as strings
+*               Arrays and objects retain their original type.
 */
 function get_user_meta( $user_id, $key = '', $single = false ) {
 	return get_metadata( 'user', $user_id, $key, $single );
 }
 }
 /**
 * Creates dropdown HTML content of users.
 *
-* The content can either be displayed, which it is by default or retrieved by
+* The content can either be displayed, which it is by default, or retrieved by
-* setting the 'echo' argument. The 'include' and 'exclude' arguments do not
+* setting the 'echo' argument to false. The 'include' and 'exclude' arguments
-* need to be used; all users will be displayed in that case. Only one can be
+* are optional; if they are not specified, all users will be displayed. Only one
-* used, either 'include' or 'exclude', but not both.
+* can be used in a single call, either 'include' or 'exclude', but not both.
-*
-* The available arguments are as follows:
 *
 * @since 2.3.0
 * @since 4.5.0 Added the 'display_name_with_login' value for 'show'.
 * @since 4.7.0 Added the 'role', 'role__in', and 'role__not_in' parameters.
 * @since 5.9.0 Added the 'capability', 'capability__in', and 'capability__not_in' parameters.
 	$meta['comment_shortcuts'] = empty( $userdata['comment_shortcuts'] ) || 'false' === $userdata['comment_shortcuts'] ? 'false' : 'true';
 	$admin_color         = empty( $userdata['admin_color'] ) ? 'fresh' : $userdata['admin_color'];
 	$meta['admin_color'] = preg_replace( '|[^a-z0-9 _.\-@]|i', '', $admin_color );
-	$meta['use_ssl'] = empty( $userdata['use_ssl'] ) ? 0 : (bool) $userdata['use_ssl'];
+	$meta['use_ssl'] = empty( $userdata['use_ssl'] ) ? '0' : '1';
 	$meta['show_admin_bar_front'] = empty( $userdata['show_admin_bar_front'] ) ? 'true' : $userdata['show_admin_bar_front'];
 	$meta['locale'] = isset( $userdata['locale'] ) ? $userdata['locale'] : '';
 	 *
 	 * It only includes data in the users table, not any user metadata.
 	 *
 	 * @since 4.9.0
 	 * @since 5.8.0 The `$userdata` parameter was added.
+	 * @since 6.8.0 The user's password is now hashed using bcrypt by default instead of phpass.
 	 *
 	 * @param array    $data {
 	 *     Values and keys for the user.
 	 *
 	 *     @type string $user_login      The user's login. Only included if $update == false
 	 *     @type string $user_pass       The user's password.
 	 *     @type string $user_email      The user's email.
 	 *     @type string $user_url        The user's url.
-	 *     @type string $user_nicename   The user's nice name. Defaults to a URL-safe version of user's login
+	 *     @type string $user_nicename   The user's nice name. Defaults to a URL-safe version of user's login.
 	 *     @type string $display_name    The user's display name.
 	 *     @type string $user_registered MySQL timestamp describing the moment when the user registered. Defaults to
 	 *                                   the current UTC timestamp.
 	 * }
 	 * @param bool     $update   Whether the user is being updated rather than created.
 	// Update the cookies if the password changed.
 	$current_user = wp_get_current_user();
 	if ( $current_user->ID === $user_id ) {
 		if ( isset( $plaintext_pass ) ) {
-			wp_clear_auth_cookie();
 			/*
 			 * Here we calculate the expiration length of the current auth cookie and compare it to the default expiration.
 			 * If it's greater than this, then we know the user checked 'Remember Me' when they logged in.
 			 */
 			$logged_in_cookie = wp_parse_auth_cookie( '', 'logged_in' );
 			/** This filter is documented in wp-includes/pluggable.php */
 			$default_cookie_life = apply_filters( 'auth_cookie_expiration', ( 2 * DAY_IN_SECONDS ), $user_id, false );
+			wp_clear_auth_cookie();
 			$remember = false;
+			$token    = '';
-			if ( false !== $logged_in_cookie && ( $logged_in_cookie['expiration'] - time() ) > $default_cookie_life ) {
+			if ( false !== $logged_in_cookie ) {
+				$token = $logged_in_cookie['token'];
+			}
+			if ( false !== $logged_in_cookie && ( (int) $logged_in_cookie['expiration'] - time() ) > $default_cookie_life ) {
 				$remember = true;
 			}
-			wp_set_auth_cookie( $user_id, $remember );
+			wp_set_auth_cookie( $user_id, $remember, '', $token );
 		}
 	}
 	/**
 	 * Fires after the user has been updated and emails have been sent.
 * @param string $password The user's password.
 * @param string $email    Optional. The user's email. Default empty.
 * @return int|WP_Error The newly created user's ID or a WP_Error object if the user could not
 *                      be created.
 */
-function wp_create_user( $username, $password, $email = '' ) {
+function wp_create_user(
+	$username,
+	#[\SensitiveParameter]
+	$password,
+	$email = ''
+) {
 	$user_login = wp_slash( $username );
 	$user_email = wp_slash( $email );
 	$user_pass  = $password;
 	$userdata = compact( 'user_login', 'user_email', 'user_pass' );
 /**
 * Creates, stores, then returns a password reset key for user.
 *
 * @since 4.4.0
 *
-* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
-*
 * @param WP_User $user User to retrieve password reset key for.
 * @return string|WP_Error Password reset key on success. WP_Error on error.
 */
 function get_password_reset_key( $user ) {
-	global $wp_hasher;
 	if ( ! ( $user instanceof WP_User ) ) {
 		return new WP_Error( 'invalidcombo', __( '<strong>Error:</strong> There is no account with that username or email address.' ) );
 	}
 	/**
 	 * @param string $user_login The username for the user.
 	 * @param string $key        The generated password reset key.
 	 */
 	do_action( 'retrieve_password_key', $user->user_login, $key );
-	// Now insert the key, hashed, into the DB.
+	$hashed = time() . ':' . wp_fast_hash( $key );
-	if ( empty( $wp_hasher ) ) {
-		require_once ABSPATH . WPINC . '/class-phpass.php';
-		$wp_hasher = new PasswordHash( 8, true );
-	}
-	$hashed = time() . ':' . $wp_hasher->HashPassword( $key );
 	$key_saved = wp_update_user(
 		array(
 			'ID'                  => $user->ID,
 			'user_activation_key' => $hashed,
 * hashing process. This field is now hashed; old values are no longer accepted
 * but have a different WP_Error code so good user feedback can be provided.
 *
 * @since 3.1.0
 *
-* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
+* @param string $key       The password reset key.
-*
-* @param string $key       Hash to validate sending user's password.
 * @param string $login     The user login.
 * @return WP_User|WP_Error WP_User object on success, WP_Error object for invalid or expired keys.
 */
-function check_password_reset_key( $key, $login ) {
+function check_password_reset_key(
-	global $wp_hasher;
+	#[\SensitiveParameter]
+	$key,
+	$login
+) {
 	$key = preg_replace( '/[^a-z0-9]/i', '', $key );
 	if ( empty( $key ) || ! is_string( $key ) ) {
 		return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
 	}
 	$user = get_user_by( 'login', $login );
 	if ( ! $user ) {
 		return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
-	}
-	if ( empty( $wp_hasher ) ) {
-		require_once ABSPATH . WPINC . '/class-phpass.php';
-		$wp_hasher = new PasswordHash( 8, true );
 	}
 	/**
 	 * Filters the expiration time of password reset keys.
 	 *
 	if ( ! $pass_key ) {
 		return new WP_Error( 'invalid_key', __( 'Invalid key.' ) );
 	}
-	$hash_is_correct = $wp_hasher->CheckPassword( $key, $pass_key );
+	$hash_is_correct = wp_verify_fast_hash( $key, $pass_key );
 	if ( $hash_is_correct && $expiration_time && time() < $expiration_time ) {
 		return $user;
 	} elseif ( $hash_is_correct && $expiration_time ) {
 		// Key has an expiration time that's passed.
 		$return  = new WP_Error( 'expired_key', __( 'Invalid key.' ) );
 		$user_id = $user->ID;
 		/**
 		 * Filters the return value of check_password_reset_key() when an
-		 * old-style key is used.
+		 * old-style key or an expired key is used.
 		 *
 		 * @since 3.7.0 Previously plain-text keys were stored in the database.
 		 * @since 4.3.0 Previously key hashes were stored without an expiration time.
 		 *
 		 * @param WP_Error $return  A WP_Error object denoting an expired key.
 * Handles sending a password retrieval email to a user.
 *
 * @since 2.5.0
 * @since 5.7.0 Added `$user_login` parameter.
 *
-* @global wpdb         $wpdb      WordPress database abstraction object.
+* @global wpdb $wpdb WordPress database abstraction object.
-* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
 *
 * @param string $user_login Optional. Username to send a password retrieval email for.
 *                           Defaults to `$_POST['user_login']` if not set.
 * @return true|WP_Error True when finished, WP_Error object on error.
 */
-function retrieve_password( $user_login = null ) {
+function retrieve_password( $user_login = '' ) {
 	$errors    = new WP_Error();
 	$user_data = false;
 	// Use the passed $user_login if available, otherwise use $_POST['user_login'].
 	if ( ! $user_login && ! empty( $_POST['user_login'] ) ) {
 	$message .= sprintf( __( 'Site Name: %s' ), $site_name ) . "\r\n\r\n";
 	/* translators: %s: User login. */
 	$message .= sprintf( __( 'Username: %s' ), $user_login ) . "\r\n\r\n";
 	$message .= __( 'If this was a mistake, ignore this email and nothing will happen.' ) . "\r\n\r\n";
 	$message .= __( 'To reset your password, visit the following address:' ) . "\r\n\r\n";
-	$message .= network_site_url( "wp-login.php?action=rp&key=$key&login=" . rawurlencode( $user_login ), 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";
+	/*
+	 * Since some user login names end in a period, this could produce ambiguous URLs that
+	 * end in a period. To avoid the ambiguity, ensure that the login is not the last query
+	 * arg in the URL. If moving it to the end, a trailing period will need to be escaped.
+	 *
+	 * @see https://core.trac.wordpress.org/tickets/42957
+	 */
+	$message .= network_site_url( 'wp-login.php?login=' . rawurlencode( $user_login ) . "&key=$key&action=rp", 'login' ) . '&wp_lang=' . $locale . "\r\n\r\n";
 	if ( ! is_user_logged_in() ) {
 		$requester_ip = $_SERVER['REMOTE_ADDR'];
 		if ( $requester_ip ) {
 			$message .= sprintf(
 * @since 2.5.0
 *
 * @param WP_User $user     The user
 * @param string  $new_pass New password for the user in plaintext
 */
-function reset_password( $user, $new_pass ) {
+function reset_password(
+	$user,
+	#[\SensitiveParameter]
+	$new_pass
+) {
 	/**
 	 * Fires before the user's password is reset.
 	 *
 	 * @since 1.5.0
 	 *
 	 * @param string $sitename   The name of the site.
 	 * @param array  $email_data {
 	 *     Data relating to the account action email.
 	 *
 	 *     @type WP_User_Request $request     User request object.
-	 *     @type string          $user_email  The email address confirming a request
+	 *     @type string          $user_email  The email address confirming a request.
 	 *     @type string          $description Description of the action being performed so the user knows what the email is for.
 	 *     @type string          $manage_url  The link to click manage privacy requests of this type.
 	 *     @type string          $sitename    The site name sending the mail.
 	 *     @type string          $siteurl     The site URL sending the mail.
 	 *     @type string          $admin_email The administrator email receiving the mail.
 	 * @param string $content    The email content.
 	 * @param array  $email_data {
 	 *     Data relating to the account action email.
 	 *
 	 *     @type WP_User_Request $request     User request object.
-	 *     @type string          $user_email  The email address confirming a request
+	 *     @type string          $user_email  The email address confirming a request.
 	 *     @type string          $description Description of the action being performed
 	 *                                        so the user knows what the email is for.
 	 *     @type string          $manage_url  The link to click manage privacy requests of this type.
 	 *     @type string          $sitename    The site name sending the mail.
 	 *     @type string          $siteurl     The site URL sending the mail.
 	 * @param string $content    The email content.
 	 * @param array  $email_data {
 	 *     Data relating to the account action email.
 	 *
 	 *     @type WP_User_Request $request     User request object.
-	 *     @type string          $user_email  The email address confirming a request
+	 *     @type string          $user_email  The email address confirming a request.
 	 *     @type string          $description Description of the action being performed so the user knows what the email is for.
 	 *     @type string          $manage_url  The link to click manage privacy requests of this type.
 	 *     @type string          $sitename    The site name sending the mail.
 	 *     @type string          $siteurl     The site URL sending the mail.
 	 *     @type string          $admin_email The administrator email receiving the mail.
 	 * @param int          $request_id The request ID.
 	 * @param array        $email_data {
 	 *     Data relating to the account action email.
 	 *
 	 *     @type WP_User_Request $request     User request object.
-	 *     @type string          $user_email  The email address confirming a request
+	 *     @type string          $user_email  The email address confirming a request.
 	 *     @type string          $description Description of the action being performed so the user knows what the email is for.
 	 *     @type string          $manage_url  The link to click manage privacy requests of this type.
 	 *     @type string          $sitename    The site name sending the mail.
 	 *     @type string          $siteurl     The site URL sending the mail.
 	 *     @type string          $admin_email The administrator email receiving the mail.
 /**
 * Returns a confirmation key for a user action and stores the hashed version for future comparison.
 *
 * @since 4.9.6
 *
-* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
-*
 * @param int $request_id Request ID.
 * @return string Confirmation key.
 */
 function wp_generate_user_request_key( $request_id ) {
-	global $wp_hasher;
 	// Generate something random for a confirmation key.
 	$key = wp_generate_password( 20, false );
-	// Return the key, hashed.
+	// Save the key, hashed.
-	if ( empty( $wp_hasher ) ) {
-		require_once ABSPATH . WPINC . '/class-phpass.php';
-		$wp_hasher = new PasswordHash( 8, true );
-	}
 	wp_update_post(
 		array(
 			'ID'            => $request_id,
 			'post_status'   => 'request-pending',
-			'post_password' => $wp_hasher->HashPassword( $key ),
+			'post_password' => wp_fast_hash( $key ),
 		)
 	);
 	return $key;
 }
 /**
 * Validates a user request by comparing the key with the request's key.
 *
 * @since 4.9.6
-*
-* @global PasswordHash $wp_hasher Portable PHP password hashing framework instance.
 *
 * @param string $request_id ID of the request being confirmed.
 * @param string $key        Provided key to validate.
 * @return true|WP_Error True on success, WP_Error on failure.
 */
-function wp_validate_user_request_key( $request_id, $key ) {
+function wp_validate_user_request_key(
-	global $wp_hasher;
+	$request_id,
+	#[\SensitiveParameter]
+	$key
+) {
 	$request_id       = absint( $request_id );
 	$request          = wp_get_user_request( $request_id );
 	$saved_key        = $request->confirm_key;
 	$key_request_time = $request->modified_timestamp;
 	if ( empty( $key ) ) {
 		return new WP_Error( 'missing_key', __( 'The confirmation key is missing from this personal data request.' ) );
 	}
-	if ( empty( $wp_hasher ) ) {
-		require_once ABSPATH . WPINC . '/class-phpass.php';
-		$wp_hasher = new PasswordHash( 8, true );
-	}
 	/**
 	 * Filters the expiration time of confirm keys.
 	 *
 	 * @since 4.9.6
 	 *
 	 * @param int $expiration The expiration time in seconds.
 	 */
 	$expiration_duration = (int) apply_filters( 'user_request_key_expiration', DAY_IN_SECONDS );
 	$expiration_time     = $key_request_time + $expiration_duration;
-	if ( ! $wp_hasher->CheckPassword( $key, $saved_key ) ) {
+	if ( ! wp_verify_fast_hash( $key, $saved_key ) ) {
 		return new WP_Error( 'invalid_key', __( 'The confirmation key is invalid for this personal data request.' ) );
 	}
 	if ( ! $expiration_time || time() > $expiration_time ) {
 		return new WP_Error( 'expired_key', __( 'The confirmation key has expired for this personal data request.' ) );

changeset 22	8c2e4d02f4ef
parent 21	48c4eec2b7e6