WordPress.org

Make WordPress Core

Opened 4 months ago

Closed 2 months ago

Last modified 9 days ago

#49395 closed defect (bug) (worksforme)

User authentication broken for usernames that include spaces (PHP bug #78929)

Reported by: codeguy Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:

Description

PHP 7.4.2, released on January 20, 2020), includes a change such that PHP does NOT decode plus signs in cookie values when reading those values from $_COOKIE. See https://bugs.php.net/bug.php?id=78929 and https://www.php.net/ChangeLog-7.php.

When a WordPress user has a space in her username, that space is url encoded to a plus sign by setcookie() when written to the HTTP header during POST /wp-login.php. The plus sign is not decoded back to a space by PHP, and prevents WordPress from properly finding and authenticating the user. The affected code is in wp-includes/pluggable.php:788 and in the wp_parse_auth_cookie() function.

Change History (9)

#1 @codeguy
4 months ago

Unsure if this should be fixed in WP core or in PHP. Looks like a related ticket is in progress on the PHP-side at https://bugs.php.net/bug.php?id=79174

#2 @ocean90
4 months ago

  • Severity changed from critical to normal
  • Version 5.3.2 deleted

#3 @ocean90
4 months ago

#49366 was marked as a duplicate.

#4 @ocean90
4 months ago

Hello @codeguy, welcome to WordPress Trac!

Thanks for the report and the research. There's already a RC for 7.4.3 which should include the fix from https://bugs.php.net/bug.php?id=79174.

#5 @codeguy
4 months ago

Hi @ocean90! Happy to help. Looks like the easiest solution is to wait for 7.4.3 to be released. Thanks for looking into this :)

#6 @SergeyBiryukov
4 months ago

#49417 was marked as a duplicate.

#7 @homeworker
4 months ago

It' a bad habit allow username with spaces. Should be forbidden by WordPress.

#8 @ocean90
2 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

The fix was released in PHP 7.4.3 on Feb 20.

Last edited 2 months ago by ocean90 (previous) (diff)

#9 @natip100
9 days ago

Okay, the fix was initiated but users who were already registered with a space in their name still get a broken forgot password URL and users with spaces can still be registered. Seems like it has not been fixed.

Wordpress should offer an option (or even make it mandatory) that users not be allowed to be registered with a space.

Note: See TracTickets for help on using tickets.