WordPress.org
Get WordPress

Make WordPress Core

Ticket #57512: 57512_with_tests.diff

File 57512_with_tests.diff, 2.4 KB (added by shooper, 2 years ago)

Adds checks for additional parts in the decoded base64, and adds unit tests

  • src/wp-includes/load.php 

    diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php
index c2450e582f..f8932c602a 100644
    a b function wp_populate_basic_auth_from_authorization_header() { 
    122122        $token    = substr( $header, 6 );
    123123        $userpass = base64_decode( $token );
    124124
    125         list( $user, $pass ) = explode( ':', $userpass );
     125        // If there is no password provided, exit.
     126        $exploded_basic_auth = explode( ':', $userpass );
     127
     128        if ( 2 !== count($exploded_basic_auth) ) {
     129                return;
     130        }
    126131
    127132        // Now shove them in the proper keys where we're expecting later on.
    128         $_SERVER['PHP_AUTH_USER'] = $user;
    129         $_SERVER['PHP_AUTH_PW']   = $pass;
     133        $_SERVER['PHP_AUTH_USER'] = $exploded_basic_auth[0];
     134        $_SERVER['PHP_AUTH_PW']   = $exploded_basic_auth[1];
    130135}
    131136
    132137/**

  • tests/phpunit/tests/auth.php 

    diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
index 2198fadcd0..d3b571bdc1 100644
    a b class Tests_Auth extends WP_UnitTestCase { 
    675675                        'not allowed' => array( 'subscriber', false ),
    676676                );
    677677        }
     678
     679        /*
     680         * @ticket 57512
     681         * @covers ::wp_populate_basic_auth_from_authorization_header
     682         */
     683        public function tests_basic_http_authentication_with_username_and_password() {
     684                // username:password
     685                $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU6cGFzc3dvcmQ=';
     686
     687                wp_populate_basic_auth_from_authorization_header();
     688
     689                $this->assertSame($_SERVER['PHP_AUTH_USER'], 'username');
     690                $this->assertSame($_SERVER['PHP_AUTH_PW'], 'password');
     691        }
     692
     693        /*
     694         * @ticket 57512
     695         * @covers ::wp_populate_basic_auth_from_authorization_header
     696         */
     697        public function tests_basic_http_authentication_with_username_only() {
     698                // username
     699                $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU=';
     700
     701                wp_populate_basic_auth_from_authorization_header();
     702
     703                $this->assertArrayNotHasKey('PHP_AUTH_USER', $_SERVER);
     704                $this->assertArrayNotHasKey('PHP_AUTH_PW', $_SERVER);
     705        }
     706
     707        /*
     708         * @ticket 57512
     709         * @covers ::wp_populate_basic_auth_from_authorization_header
     710         */
     711        public function tests_basic_http_authentication_with_more_than_2_parts() {
     712                // username:password:foo
     713                $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU6cGFzc3dvcmQ6Zm9v';
     714
     715                wp_populate_basic_auth_from_authorization_header();
     716
     717                $this->assertArrayNotHasKey('PHP_AUTH_USER', $_SERVER);
     718                $this->assertArrayNotHasKey('PHP_AUTH_PW', $_SERVER);
     719        }
    678720}