Make WordPress Core


Ignore:
Timestamp:
02/10/2020 04:06:58 PM (5 years ago)
Author:
TimothyBlynJacobs
Message:

REST API: Add support for the REDIRECT_HTTP_AUTHORIZATION header.

Previously the REST API did not account for server configurations where the Authorization header must be added using ModRewrite. This caused major DUX issues when trying to use custom authentication mechanisms.

Fixes #47077.
Props dshanske, cklosows.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/rest-api/class-wp-rest-server.php

    r47224 r47239  
    13811381            if ( strpos( $key, 'HTTP_' ) === 0 ) {
    13821382                $headers[ substr( $key, 5 ) ] = $value;
     1383            } elseif ( 'REDIRECT_HTTP_AUTHORIZATION' === $key && empty( $server['HTTP_AUTHORIZATION'] ) ) {
     1384                /*
     1385                 * In some server configurations, the authorization header is passed in this alternate location.
     1386                 * Since it would not be passed in in both places we do not check for both headers and resolve.
     1387                 */
     1388                $headers['AUTHORIZATION'] = $value;
    13831389            } elseif ( isset( $additional[ $key ] ) ) {
    13841390                $headers[ $key ] = $value;
Note: See TracChangeset for help on using the changeset viewer.