| 288 | // Populate the correct $_SERVER variables via an alternate header for fastcgi compatibility. |
| 289 | if ( isset( $_SERVER['HTTP_WP_AUTHORIZATION'] ) && preg_match( '%^Basic [a-z\d/+]*={0,2}$%i', $_SERVER['HTTP_WP_AUTHORIZATION'] ) ) { |
| 290 | // Removing `Basic ` the token would start six characters in. |
| 291 | $token = substr( $_SERVER['HTTP_WP_AUTHORIZATION'], 6 ); |
| 292 | $userpass = base64_decode( $token ); |
| 293 | list( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) = explode( ':', $userpass ); |
| 294 | } |
| 295 | |
| 296 | // Determine the user that the request should be run under (if any). |
| 297 | if ( isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) { |
| 298 | // We are explicitly only accepting HTTP Basic Auth for HTTPS requests. |
| 299 | if ( ! is_ssl() ) { |
| 300 | wp_send_json_error( __( 'HTTP Basic Auth is unavailable for non-HTTPS requests.' ), 403 ); |
| 301 | die(); |
| 302 | } |
| 303 | $GLOBALS['user'] = wp_authenticate( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ); |
| 304 | } |
| 305 | |