Make WordPress Core

Opened 22 months ago

Closed 21 months ago

Last modified 18 months ago

#49395 closed defect (bug) (worksforme)

User authentication broken for usernames that include spaces (PHP bug #78929)

Reported by: codeguy Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:


PHP 7.4.2, released on January 20, 2020), includes a change such that PHP does NOT decode plus signs in cookie values when reading those values from $_COOKIE. See https://bugs.php.net/bug.php?id=78929 and https://www.php.net/ChangeLog-7.php.

When a WordPress user has a space in her username, that space is url encoded to a plus sign by setcookie() when written to the HTTP header during POST /wp-login.php. The plus sign is not decoded back to a space by PHP, and prevents WordPress from properly finding and authenticating the user. The affected code is in wp-includes/pluggable.php:788 and in the wp_parse_auth_cookie() function.

Change History (9)

#1 @codeguy
22 months ago

Unsure if this should be fixed in WP core or in PHP. Looks like a related ticket is in progress on the PHP-side at https://bugs.php.net/bug.php?id=79174

#2 @ocean90
22 months ago

  • Severity changed from critical to normal
  • Version 5.3.2 deleted

#3 @ocean90
22 months ago

#49366 was marked as a duplicate.

#4 @ocean90
22 months ago

Hello @codeguy, welcome to WordPress Trac!

Thanks for the report and the research. There's already a RC for 7.4.3 which should include the fix from https://bugs.php.net/bug.php?id=79174.

#5 @codeguy
22 months ago

Hi @ocean90! Happy to help. Looks like the easiest solution is to wait for 7.4.3 to be released. Thanks for looking into this :)

#6 @SergeyBiryukov
22 months ago

#49417 was marked as a duplicate.

#7 @homeworker
22 months ago

It' a bad habit allow username with spaces. Should be forbidden by WordPress.

#8 @ocean90
21 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

The fix was released in PHP 7.4.3 on Feb 20.

Last edited 21 months ago by ocean90 (previous) (diff)

#9 @natip100
18 months ago

Okay, the fix was initiated but users who were already registered with a space in their name still get a broken forgot password URL and users with spaces can still be registered. Seems like it has not been fixed.

Wordpress should offer an option (or even make it mandatory) that users not be allowed to be registered with a space.

Note: See TracTickets for help on using tickets.