WordPress.org

Make WordPress Core

Ticket #42790: 42790.diff

File 42790.diff, 1.0 KB (added by georgestephanis, 3 years ago)
  • src/wp-includes/rest-api.php

     
    241241 * @since 4.4.0
    242242 *
    243243 * @global WP             $wp             Current WordPress environment instance.
     244 * @global WP_User|null   $user           Current WordPress User.
    244245 */
    245246function rest_api_loaded() {
    246247        if ( empty( $GLOBALS['wp']->query_vars['rest_route'] ) ) {
     
    255256         */
    256257        define( 'REST_REQUEST', true );
    257258
     259        // Determine the user that the request should be run under (if any).
     260        if ( isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) {
     261                // We are explicitly only accepting HTTP Basic Auth for HTTPS requests.
     262                if ( ! is_ssl() ) {
     263                        wp_send_json_error( __( 'HTTP Basic Auth is unavailable for non-HTTPS requests.' ), 403 );
     264                        die();
     265                }
     266                $GLOBALS['user'] = wp_authenticate( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] );
     267        }
     268
    258269        // Initialize the server.
    259270        $server = rest_get_server();
    260271