WordPress.org

Make WordPress Core

Opened 3 weeks ago

Last modified 2 weeks ago

#49395 new defect (bug)

User authentication broken for usernames that include spaces (PHP bug #78929)

Reported by: codeguy Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:

Description

PHP 7.4.2, released on January 20, 2020), includes a change such that PHP does NOT decode plus signs in cookie values when reading those values from $_COOKIE. See https://bugs.php.net/bug.php?id=78929 and https://www.php.net/ChangeLog-7.php.

When a WordPress user has a space in her username, that space is url encoded to a plus sign by setcookie() when written to the HTTP header during POST /wp-login.php. The plus sign is not decoded back to a space by PHP, and prevents WordPress from properly finding and authenticating the user. The affected code is in wp-includes/pluggable.php:788 and in the wp_parse_auth_cookie() function.

Change History (7)

#1 @codeguy
3 weeks ago

Unsure if this should be fixed in WP core or in PHP. Looks like a related ticket is in progress on the PHP-side at https://bugs.php.net/bug.php?id=79174

#2 @ocean90
3 weeks ago

  • Severity changed from critical to normal
  • Version 5.3.2 deleted

#3 @ocean90
3 weeks ago

#49366 was marked as a duplicate.

#4 @ocean90
3 weeks ago

Hello @codeguy, welcome to WordPress Trac!

Thanks for the report and the research. There's already a RC for 7.4.3 which should include the fix from https://bugs.php.net/bug.php?id=79174.

#5 @codeguy
3 weeks ago

Hi @ocean90! Happy to help. Looks like the easiest solution is to wait for 7.4.3 to be released. Thanks for looking into this :)

#6 @SergeyBiryukov
2 weeks ago

#49417 was marked as a duplicate.

#7 @homeworker
2 weeks ago

It' a bad habit allow username with spaces. Should be forbidden by WordPress.

Note: See TracTickets for help on using tickets.