Changeset 50045

Timestamp:

01/28/2021 12:31:10 AM (4 years ago)

Author:

whyisjake

Message:

App Passwords: Only attempt auth if the username and password are set.

Previously, only the username was checked which caused a PHP warning in some server setups, for instance Shibboleth SSO, where the server only populates the PHP_AUTH_USER field.

This brings the changes from [49919] to the 5.6 branch.

Props MadtownLems, johnbillion, richard.tape, engahmeds3ed, TimothyBlynJacobs.

Fixes #52003.

Location:

branches/5.6

Files:

• . (modified) (1 prop)
• src/wp-includes/user.php (modified) (1 diff)
• tests/phpunit/tests/auth.php (modified) (1 diff)

branches/5.6/src/wp-includes/user.php

@@ -462 +462 @@
     }
 
-    // Check that we're trying to authenticate
-    if ( ! isset( $_SERVER['PHP_AUTH_USER'] ) ) {
+    // Both $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] must be set in order to attempt authentication.
+    if ( ! isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) {
         return $input_user;
     }

branches/5.6/tests/phpunit/tests/auth.php

@@ -616 +616 @@
         $this->assertNull( $authenticated );
     }
+
+    /**
+     * @ticket 52003
+     *
+     * @covers ::wp_validate_application_password
+     */
+    public function test_application_passwords_does_not_attempt_auth_if_missing_password() {
+        WP_Application_Passwords::create_new_application_password( self::$user_id, array( 'name' => 'phpunit' ) );
+
+        add_filter( 'application_password_is_api_request', '__return_true' );
+        add_filter( 'wp_is_application_passwords_available', '__return_true' );
+
+        $_SERVER['PHP_AUTH_USER'] = self::$_user->user_login;
+        unset( $_SERVER['PHP_AUTH_PW'] );
+
+        $this->assertNull( wp_validate_application_password( null ) );
+    }
 }