WordPress.org

Make WordPress Core

Changeset 50045


Ignore:
Timestamp:
01/28/2021 12:31:10 AM (6 months ago)
Author:
whyisjake
Message:

App Passwords: Only attempt auth if the username and password are set.

Previously, only the username was checked which caused a PHP warning in some server setups, for instance Shibboleth SSO, where the server only populates the PHP_AUTH_USER field.

This brings the changes from [49919] to the 5.6 branch.

Props MadtownLems, johnbillion, richard.tape, engahmeds3ed, TimothyBlynJacobs.

Fixes #52003.

Location:
branches/5.6
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/5.6

  • branches/5.6/src/wp-includes/user.php

    r49754 r50045  
    462462    }
    463463
    464     // Check that we're trying to authenticate
    465     if ( ! isset( $_SERVER['PHP_AUTH_USER'] ) ) {
     464    // Both $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] must be set in order to attempt authentication.
     465    if ( ! isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) {
    466466        return $input_user;
    467467    }
  • branches/5.6/tests/phpunit/tests/auth.php

    r49754 r50045  
    616616        $this->assertNull( $authenticated );
    617617    }
     618
     619    /**
     620     * @ticket 52003
     621     *
     622     * @covers ::wp_validate_application_password
     623     */
     624    public function test_application_passwords_does_not_attempt_auth_if_missing_password() {
     625        WP_Application_Passwords::create_new_application_password( self::$user_id, array( 'name' => 'phpunit' ) );
     626
     627        add_filter( 'application_password_is_api_request', '__return_true' );
     628        add_filter( 'wp_is_application_passwords_available', '__return_true' );
     629
     630        $_SERVER['PHP_AUTH_USER'] = self::$_user->user_login;
     631        unset( $_SERVER['PHP_AUTH_PW'] );
     632
     633        $this->assertNull( wp_validate_application_password( null ) );
     634    }
    618635}
Note: See TracChangeset for help on using the changeset viewer.