WordPress.org
Get WordPress

Make WordPress Core

Ticket #57512: 57512_with_tests_2.diff

File 57512_with_tests_2.diff, 2.2 KB (added by shooper, 3 years ago)

Handles passwords that contain a colon properly

  • src/wp-includes/load.php 

    diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php
index c2450e582f..54a76094eb 100644
    a b function wp_populate_basic_auth_from_authorization_header() { 
    122122        $token    = substr( $header, 6 );
    123123        $userpass = base64_decode( $token );
    124124
    125         list( $user, $pass ) = explode( ':', $userpass );
     125        // There must be at least one colon in the string
     126        if ( ! str_contains( $userpass, ':' ) ) {
     127                return;
     128        }
     129
     130        list( $user, $pass ) = explode( ':', $userpass, 2 );
    126131
    127132        // Now shove them in the proper keys where we're expecting later on.
    128133        $_SERVER['PHP_AUTH_USER'] = $user;

  • tests/phpunit/tests/auth.php 

    diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
index 2198fadcd0..668eb88e62 100644
    a b class Tests_Auth extends WP_UnitTestCase { 
    675675                        'not allowed' => array( 'subscriber', false ),
    676676                );
    677677        }
     678
     679        /*
     680         * @ticket 57512
     681         * @covers ::wp_populate_basic_auth_from_authorization_header
     682         */
     683        public function tests_basic_http_authentication_with_username_and_password() {
     684                // username:password
     685                $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU6cGFzc3dvcmQ=';
     686
     687                wp_populate_basic_auth_from_authorization_header();
     688
     689                $this->assertSame($_SERVER['PHP_AUTH_USER'], 'username');
     690                $this->assertSame($_SERVER['PHP_AUTH_PW'], 'password');
     691        }
     692
     693        /*
     694         * @ticket 57512
     695         * @covers ::wp_populate_basic_auth_from_authorization_header
     696         */
     697        public function tests_basic_http_authentication_with_username_only() {
     698                // username
     699                $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU=';
     700
     701                wp_populate_basic_auth_from_authorization_header();
     702
     703                $this->assertArrayNotHasKey('PHP_AUTH_USER', $_SERVER);
     704                $this->assertArrayNotHasKey('PHP_AUTH_PW', $_SERVER);
     705        }
     706
     707        /*
     708         * @ticket 57512
     709         * @covers ::wp_populate_basic_auth_from_authorization_header
     710         */
     711        public function tests_basic_http_authentication_with_more_than_2_parts() {
     712                // username:pass:word
     713                $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU6cGFzczp3b3Jk';
     714
     715                wp_populate_basic_auth_from_authorization_header();
     716
     717                $this->assertSame($_SERVER['PHP_AUTH_USER'], 'username');
     718                $this->assertSame($_SERVER['PHP_AUTH_PW'], 'pass:word');
     719        }
    678720}