Make WordPress Core


Ignore:
Timestamp:
01/02/2021 09:34:01 PM (4 years ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Only attempt auth if the username and password are set.

Previously, only the username was checked which caused a PHP warning in some server setups, for instance Shibboleth SSO, where the server only populates the PHP_AUTH_USER field.

Props MadtownLems, johnbillion, richard.tape, engahmeds3ed.
Fixes #52003.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/user.php

    r49789 r49919  
    463463    }
    464464
    465     // Check that we're trying to authenticate
    466     if ( ! isset( $_SERVER['PHP_AUTH_USER'] ) ) {
     465    // Both $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] must be set in order to attempt authentication.
     466    if ( ! isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) {
    467467        return $input_user;
    468468    }
Note: See TracChangeset for help on using the changeset viewer.