Make WordPress Core

Changeset 49919


Ignore:
Timestamp:
01/02/2021 09:34:01 PM (4 years ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Only attempt auth if the username and password are set.

Previously, only the username was checked which caused a PHP warning in some server setups, for instance Shibboleth SSO, where the server only populates the PHP_AUTH_USER field.

Props MadtownLems, johnbillion, richard.tape, engahmeds3ed.
Fixes #52003.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r49789 r49919  
    463463    }
    464464
    465     // Check that we're trying to authenticate
    466     if ( ! isset( $_SERVER['PHP_AUTH_USER'] ) ) {
     465    // Both $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] must be set in order to attempt authentication.
     466    if ( ! isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) {
    467467        return $input_user;
    468468    }
  • trunk/tests/phpunit/tests/auth.php

    r49752 r49919  
    616616        $this->assertNull( $authenticated );
    617617    }
     618
     619    /**
     620     * @ticket 52003
     621     *
     622     * @covers ::wp_validate_application_password
     623     */
     624    public function test_application_passwords_does_not_attempt_auth_if_missing_password() {
     625        WP_Application_Passwords::create_new_application_password( self::$user_id, array( 'name' => 'phpunit' ) );
     626
     627        add_filter( 'application_password_is_api_request', '__return_true' );
     628        add_filter( 'wp_is_application_passwords_available', '__return_true' );
     629
     630        $_SERVER['PHP_AUTH_USER'] = self::$_user->user_login;
     631        unset( $_SERVER['PHP_AUTH_PW'] );
     632
     633        $this->assertNull( wp_validate_application_password( null ) );
     634    }
    618635}
Note: See TracChangeset for help on using the changeset viewer.