Make WordPress Core

Changeset 56804


Ignore:
Timestamp:
10/09/2023 02:47:57 PM (10 months ago)
Author:
kadamwhite
Message:

REST API: Correct parsing of password from Authorization header when processing Application Password credentials.

Exit early when parsing Application Password credentials if Authorization header value does not contain at least one colon. The Authorization Basic header must use a colon to separate the username and password components per RFC 7617, so a username-only string is malformed and should not be processed.

Split Authorization header only on the first colon, properly handling passwords containing colons.

Resolves PHP 8.0 warning when list() was called on an exploded credentials array containing only one element.

Props kalpeshh, shooper, sc0ttkclark, jrf, mukesh27, oglekler, nicolefurlan.
Fixes #57512.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/load.php

    r56635 r56804  
    127127    $userpass = base64_decode( $token );
    128128
    129     list( $user, $pass ) = explode( ':', $userpass );
     129    // There must be at least one colon in the string.
     130    if ( ! str_contains( $userpass, ':' ) ) {
     131        return;
     132    }
     133
     134    list( $user, $pass ) = explode( ':', $userpass, 2 );
    130135
    131136    // Now shove them in the proper keys where we're expecting later on.
  • trunk/tests/phpunit/tests/auth.php

    r56454 r56804  
    845845        );
    846846    }
     847
     848    /*
     849     * @ticket 57512
     850     * @covers ::wp_populate_basic_auth_from_authorization_header
     851     */
     852    public function tests_basic_http_authentication_with_username_and_password() {
     853        // Header passed as "username:password".
     854        $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU6cGFzc3dvcmQ=';
     855
     856        wp_populate_basic_auth_from_authorization_header();
     857
     858        $this->assertSame( $_SERVER['PHP_AUTH_USER'], 'username' );
     859        $this->assertSame( $_SERVER['PHP_AUTH_PW'], 'password' );
     860    }
     861
     862    /*
     863     * @ticket 57512
     864     * @covers ::wp_populate_basic_auth_from_authorization_header
     865     */
     866    public function tests_basic_http_authentication_with_username_only() {
     867        // Malformed header passed as "username" with no password.
     868        $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU=';
     869
     870        wp_populate_basic_auth_from_authorization_header();
     871
     872        $this->assertArrayNotHasKey( 'PHP_AUTH_USER', $_SERVER );
     873        $this->assertArrayNotHasKey( 'PHP_AUTH_PW', $_SERVER );
     874    }
     875
     876    /*
     877     * @ticket 57512
     878     * @covers ::wp_populate_basic_auth_from_authorization_header
     879     */
     880    public function tests_basic_http_authentication_with_colon_in_password() {
     881        // Header passed as "username:pass:word" where password contains colon.
     882        $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU6cGFzczp3b3Jk';
     883
     884        wp_populate_basic_auth_from_authorization_header();
     885
     886        $this->assertSame( $_SERVER['PHP_AUTH_USER'], 'username' );
     887        $this->assertSame( $_SERVER['PHP_AUTH_PW'], 'pass:word' );
     888    }
    847889}
Note: See TracChangeset for help on using the changeset viewer.