WordPress.org

Make WordPress Core

Ticket #42790: 42790.1.diff

File 42790.1.diff, 1.5 KB (added by georgestephanis, 2 years ago)
  • src/wp-includes/rest-api.php

     
    270270 * @since 4.4.0
    271271 *
    272272 * @global WP             $wp             Current WordPress environment instance.
     273 * @global WP_User|null   $user           Current WordPress User.
    273274 */
    274275function rest_api_loaded() {
    275276        if ( empty( $GLOBALS['wp']->query_vars['rest_route'] ) ) {
     
    284285         */
    285286        define( 'REST_REQUEST', true );
    286287
     288        // Populate the correct $_SERVER variables via an alternate header for fastcgi compatibility.
     289        if ( isset( $_SERVER['HTTP_WP_AUTHORIZATION'] ) && preg_match( '%^Basic [a-z\d/+]*={0,2}$%i', $_SERVER['HTTP_WP_AUTHORIZATION'] ) ) {
     290                // Removing `Basic ` the token would start six characters in.
     291                $token = substr( $_SERVER['HTTP_WP_AUTHORIZATION'], 6 );
     292                $userpass = base64_decode( $token );
     293                list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode( ':', $userpass );
     294        }
     295
     296        // Determine the user that the request should be run under (if any).
     297        if ( isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) {
     298                // We are explicitly only accepting HTTP Basic Auth for HTTPS requests.
     299                if ( ! is_ssl() ) {
     300                        wp_send_json_error( __( 'HTTP Basic Auth is unavailable for non-HTTPS requests.' ), 403 );
     301                        die();
     302                }
     303                $GLOBALS['user'] = wp_authenticate( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] );
     304        }
     305
    287306        // Initialize the server.
    288307        $server = rest_get_server();
    289308