Ticket #47077: 47077.2.diff

src/wp-includes/rest-api/class-wp-rest-server.php

@@ -1380 +1380 @@
                 foreach ( $server as $key => $value ) {
                         if ( strpos( $key, 'HTTP_' ) === 0 ) {
                                 $headers[ substr( $key, 5 ) ] = $value;
+                        } elseif ( 'REDIRECT_HTTP_AUTHORIZATION' === $key && empty( $server['HTTP_AUTHORIZATION'] ) ) {
+                                /*
+                                 * In some server configurations, the authorization header is passed in this alternate location.
+                                 * Since it would not be passed in in both places we do not check for both headers and resolve.
+                                 */
+                                $headers[ 'AUTHORIZATION' ] = $value;
                         } elseif ( isset( $additional[ $key ] ) ) {
                                 $headers[ $key ] = $value;
                         }

tests/phpunit/tests/rest-api/rest-server.php

@@ -1373 +1373 @@
                 $this->assertEquals( '', rest_get_server()->sent_body );
         }
 
+        /**
+         * @ticket 47077
+         */
+        public function test_http_authorization_header_substitution() {
+                $headers        = array( 'HTTP_AUTHORIZATION' => 'foo' );
+                $parsed_headers = rest_get_server()->get_headers( $headers );
+
+                $this->assertSame(
+                        array( 'AUTHORIZATION' => 'foo' ),
+                        $parsed_headers
+                );
+        }
+
+        /**
+         * @ticket 47077
+         */
+        public function test_redirect_http_authorization_header_substitution() {
+                $headers        = array( 'REDIRECT_HTTP_AUTHORIZATION' => 'foo' );
+                $parsed_headers = rest_get_server()->get_headers( $headers );
+
+                $this->assertSame(
+                        array( 'AUTHORIZATION' => 'foo' ),
+                        $parsed_headers
+                );
+        }
+
+        /**
+         * @ticket 47077
+         */
+        public function test_redirect_http_authorization_with_http_authorization_header_substitution() {
+                $headers        = array( 'HTTP_AUTHORIZATION' => 'foo', 'REDIRECT_HTTP_AUTHORIZATION' => 'bar' );
+                $parsed_headers = rest_get_server()->get_headers( $headers );
+
+                $this->assertSame(
+                        array( 'AUTHORIZATION' => 'foo' ),
+                        $parsed_headers
+                );
+        }
+
+        /**
+         * @ticket 47077
+         */
+        public function test_redirect_http_authorization_with_empty_http_authorization_header_substitution() {
+                $headers        = array( 'HTTP_AUTHORIZATION' => '', 'REDIRECT_HTTP_AUTHORIZATION' => 'bar' );
+                $parsed_headers = rest_get_server()->get_headers( $headers );
+
+                $this->assertSame(
+                        array( 'AUTHORIZATION' => 'bar' ),
+                        $parsed_headers
+                );
+        }
+
         public function _validate_as_integer_123( $value, $request, $key ) {
                 if ( ! is_int( $value ) ) {
                         return new WP_Error( 'some-error', 'This is not valid!' );