Password reset triggers fatal error
oscarssanchez opened this issue · 6 comments
Describe the bug
It looks like resetting the password can trigger a fatal error sometimes. Pasting the output of the error log:
#4 in /chroot/home/client/client.com/html/wp-content/plugins/10up-experience/vendor/bjeavons/zxcvbn-php/src/Matchers/SequenceMatch.php on line 40
#3 /chroot/home/client/client.com/html/wp-content/plugins/10up-experience/includes/classes/Authentication/Passwords.php(266): TenUpExperience\Authentication\Passwords->validate_strong_password(Object(WP_Error), Object(stdClass))
#2 /chroot/home/client/client.com/html/wp-content/plugins/10up-experience/includes/classes/Authentication/Passwords.php(321): ZxcvbnPhp\Zxcvbn->passwordStrength('ptjFN0BLCIxvDaI...')
#1 /chroot/home/client/client.com/html/wp-content/plugins/10up-experience/vendor/bjeavons/zxcvbn-php/src/Zxcvbn.php(73): ZxcvbnPhp\Matcher->getMatches('ptjFN0BLCIxvDaI...', Array)
#0 /chroot/home/client/client.com/html/wp-content/plugins/10up-experience/vendor/bjeavons/zxcvbn-php/src/Matcher.php(39): ZxcvbnPhp\Matchers\SequenceMatch::match('ptjFN0BLCIxvDaI...', Array)
Stack trace:
[02-Nov-2020 19:29:55 UTC] PHP Fatal error: Uncaught Error: Call to undefined function ZxcvbnPhp\Matchers\mb_ord() in /chroot/home/client/client.com/html/wp-content/plugins/10up-experience/vendor/bjeavons/zxcvbn-php/src/Matchers/SequenceMatch.php:40
Steps to Reproduce
- Go to user page
- Reset password (I tried with an administrator and a subscriber)
- It works for subscriber
- It triggered a fatal error with the administrator account
Expected behavior
Password reset should not trigger the error
Screenshots
Environment information
- Browser and version:
Chrome - WordPress version:
5.5.2
- Plugins and version:
+------------------------------------------+----------+------------------------------+-------------------+
| name | status | update | version |
+------------------------------------------+----------+------------------------------+-------------------+
| 10up-experience | active | none | 1.7.3 |
| 10up-photo-essays | active | none | 1.0.0 |
| admin-menu-editor | active | none | 1.9.7 |
| advanced-ads | active | available | 1.20.2 |
| acf-code-field | active | none | 1.8 |
| acf-reusable-field-group-master | inactive | none | 1.0.2 |
| advanced-custom-fields-table-field | active | none | 1.3.10 |
| acf-group-category | active | none | 1.0.0 |
| advanced-custom-fields-pro | active | available | 5.9.1 |
| am2-front-end-editing | active | none | 1.0.0 |
| am2-newsletter | active | none | 1.0 |
| amp | inactive | none | 2.0.5 |
| character-count-for-post-content-excerpt | active | none | 0.1 |
| contact-form-7 | active | available | 5.2.2 |
| cookiebot | active | available | 3.8.0 |
| login-customizer | active | none | 2.0.1 |
| debug-bar | active | available | 1.0.1 |
| debug-bar-elasticpress | active | none | 1.4 |
| elasticpress | active | available | 3.4.2 |
| ewww-image-optimizer | inactive | available | 5.7.1 |
| google-authenticator | inactive | none | 0.52 |
| image-watermark | active | none | 1.6.6 |
| fb-instant-articles | active | none | 4.2.1 |
| login-with-ajax | active | none | 3.1.10 |
| mailpoet | inactive | available | 3.52.0 |
| members | active | none | 3.1.3 |
| mobiloud-truthdig-extension | active | none | 1.0 |
| mobiloud-mobile-app-plugin | active | version higher than expected | 9.9.9.9 |
| wp-newrelic | active | none | 1.3.1 |
| pardot | active | none | 1.5.0 |
| post-type-switcher | active | none | 3.2.0 |
| publishpress | inactive | available | 1.20.7 |
| publish-to-apple-news | active | none | 2.1.0 |
| regenerate-thumbnails | active | available | 3.1.3 |
| restricted-site-access | inactive | none | 7.2.0 |
| rewrite-rules-inspector | active | none | 1.2.1 |
| simple-301-redirects | active | none | 1.07 |
| wp-smushit | active | none | 3.7.1 |
| stream | active | none | 3.6.0 |
| term-management-tools | active | none | 1.1.4 |
| timber-library | active | none | 1.18.2 |
| truthdig-authors-search | active | none | 0.1.0 |
| user-switching | active | none | 1.5.6 |
| woocommerce | inactive | available | 4.6.0 |
| wp-better-emails | active | none | 0.4 |
| wp-missed-schedule-master | active | none | 2014.1231.2017.12 |
| wp-user-avatar | active | none | 2.2.7 |
| wordpress-seo | active | available | 15.1 |
| wpseo-news | active | none | 12.6 |
| 10up-sso-client | must-use | none | 1.0.0 |
| acf_fields_auto_generated | must-use | none | |
| am2_feedback | must-use | none | |
| am2_google_plus_login | must-use | none | |
| am2_nominate_truthdigger | must-use | none | |
| am2_promos | must-use | none | |
| am2_social_logins | must-use | none | |
| am2_timing | must-use | none | |
| amp-and-new-relic | must-use | none | 0.1.0 |
| api | must-use | none | |
| batcache | must-use | none | 1.2 |
| caching | must-use | none | |
| custom_post_types | must-use | none | |
| custom_taxonomies | must-use | none | |
| debug | must-use | none | |
| helpers | must-use | none | |
| models | must-use | none | |
| pre_get_posts | must-use | none | |
| rewrite_rules | must-use | none | |
| managed-services-utils-loader | must-use | none | |
| vulnerability-scanner-loader | must-use | none | 0.0.1 |
+------------------------------------------+----------+------------------------------+-------------------+
- Theme and version:
Custom theme from the client
-
Site Health Info:
Additional context
@oscarssanchez I noticed this on another site and discovered the mbstring extension wasn't installed on the environment, which was causing the issue. It looks like the PHP dependency Zxcvbn relies on this extension. That dependency is used to determine the password strength, so if we were to change out the method to one that doesn't use mbstring, it would resolve the issue. Otherwise, we'll need to indicate that the plugin reliesd on the mbstring PHP extension.
cc @tlovett1
Can't we just check if that function exists and, if not, bail on that functionality?
@tlovett1 Checking for a mbstring function sounds like a good short-term approach to prevent the error. The downside is the 10up Exp strong password functionality won't work on websites that don't have the mbstring PHP extension installed so that would be good to have documented so the dependencies are understood .
Yea, definitely needs to be documented but I feel like 90%+ websites have that extension. Can you put together a PR?
We are experiencing a fatal error while trying to reset a password after updating the site to PHP8. Here's what the log says:
"NOTICE: PHP message: PHP Parse error: syntax error, unexpected token
"match", expecting variable in
/var/www/html/client/public/wp-content/plugins/10up-experience/vendor/bjeavons/zxcvbn-php/src/Matcher.php
on line 92"
This seems to have been resolved via #98, so closing this issue.