Make WordPress Core

Changeset 50006


Ignore:
Timestamp:
01/24/2021 02:56:18 AM (4 years ago)
Author:
TimothyBlynJacobs
Message:

App Passwords: Extract Basic Auth check into a reusable filterable function.

In [49752] a check was added to prevent creating new Application Passwords if Basic Auth credentials were detected to prevent conflicts. This check takes place in WP-Admin, though a conflict would only arise if Basic Auth was used on the website's front-end.

This commit extracts the Basic Auth check into a reusable function, wp_is_site_protected_by_basic_auth(), which can be adjusted using a filter of the same name. This way, a site that uses Basic Auth to protect WP-Admin can still use the Application Passwords feature.

In the future, instead of requiring the use of a filter, WordPress could make a loopback request and check for a WWW-Authenticate header to make this detection more robust out of the box.

Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov, TimothyBlynJacobs.
Fixes #52066.

Location:
trunk/src
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-admin/authorize-application.php

    r50003 r50006  
    8989}
    9090
    91 if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] ) ) {
     91if ( wp_is_site_protected_by_basic_auth( 'front' ) ) {
    9292    wp_die(
    9393        __( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ),
  • trunk/src/wp-admin/user-edit.php

    r49752 r50006  
    740740            }
    741741
    742             if ( empty( $_SERVER['PHP_AUTH_USER'] ) && empty( $_SERVER['PHP_AUTH_PW'] ) ) {
     742            if ( ! wp_is_site_protected_by_basic_auth( 'front' ) ) {
    743743                ?>
    744744            <div class="create-application-password form-wrap">
  • trunk/src/wp-includes/load.php

    r49635 r50006  
    16861686    return false;
    16871687}
     1688
     1689/**
     1690 * Checks if this site is protected by HTTP Basic Auth.
     1691 *
     1692 * At the moment, this merely checks for the present of Basic Auth credentials. Therefore, calling this function
     1693 * with a context different from the current context may give inaccurate results. In a future release, this
     1694 * evaluation may be made more robust.
     1695 *
     1696 * Currently, this is only used by Application Passwords to prevent a conflict since it also utilizes Basic Auth.
     1697 *
     1698 * @since 5.6.1
     1699 *
     1700 * @global string $pagenow The current page.
     1701 *
     1702 * @param string $context The context to check for protection. Accepts 'login', 'admin', and 'front'. Defaults to the current context.
     1703 *
     1704 * @return bool
     1705 */
     1706function wp_is_site_protected_by_basic_auth( $context = '' ) {
     1707    global $pagenow;
     1708
     1709    if ( ! $context ) {
     1710        if ( 'wp-login.php' === $pagenow ) {
     1711            $context = 'login';
     1712        } elseif ( is_admin() ) {
     1713            $context = 'admin';
     1714        } else {
     1715            $context = 'front';
     1716        }
     1717    }
     1718
     1719    $is_protected = ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] );
     1720
     1721    /**
     1722     * Filters whether a site is protected by HTTP Basic Auth.
     1723     *
     1724     * @since 5.6.1
     1725     *
     1726     * @param bool $is_protected Whether the site is protected by Basic Auth.
     1727     * @param string $context    The context to check for protection. One of 'login', 'admin', or 'front'.
     1728     */
     1729    return apply_filters( 'wp_is_site_protected_by_basic_auth', $is_protected, $context );
     1730}
Note: See TracChangeset for help on using the changeset viewer.