WordPress.org

Make WordPress Core


Ignore:
Timestamp:
01/02/2021 09:34:01 PM (4 months ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Only attempt auth if the username and password are set.

Previously, only the username was checked which caused a PHP warning in some server setups, for instance Shibboleth SSO, where the server only populates the PHP_AUTH_USER field.

Props MadtownLems, johnbillion, richard.tape, engahmeds3ed.
Fixes #52003.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/auth.php

    r49752 r49919  
    616616        $this->assertNull( $authenticated );
    617617    }
     618
     619    /**
     620     * @ticket 52003
     621     *
     622     * @covers ::wp_validate_application_password
     623     */
     624    public function test_application_passwords_does_not_attempt_auth_if_missing_password() {
     625        WP_Application_Passwords::create_new_application_password( self::$user_id, array( 'name' => 'phpunit' ) );
     626
     627        add_filter( 'application_password_is_api_request', '__return_true' );
     628        add_filter( 'wp_is_application_passwords_available', '__return_true' );
     629
     630        $_SERVER['PHP_AUTH_USER'] = self::$_user->user_login;
     631        unset( $_SERVER['PHP_AUTH_PW'] );
     632
     633        $this->assertNull( wp_validate_application_password( null ) );
     634    }
    618635}
Note: See TracChangeset for help on using the changeset viewer.