#49395 closed defect (bug) (worksforme)
User authentication broken for usernames that include spaces (PHP bug #78929)
Reported by: | codeguy | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | |
Focuses: | Cc: |
Description
PHP 7.4.2, released on January 20, 2020), includes a change such that PHP does NOT decode plus signs in cookie values when reading those values from $_COOKIE. See https://bugs.php.net/bug.php?id=78929 and https://www.php.net/ChangeLog-7.php.
When a WordPress user has a space in her username, that space is url encoded to a plus sign by setcookie() when written to the HTTP header during POST /wp-login.php. The plus sign is not decoded back to a space by PHP, and prevents WordPress from properly finding and authenticating the user. The affected code is in wp-includes/pluggable.php:788 and in the wp_parse_auth_cookie() function.
Change History (9)
#4
@
5 years ago
Hello @codeguy, welcome to WordPress Trac!
Thanks for the report and the research. There's already a RC for 7.4.3 which should include the fix from https://bugs.php.net/bug.php?id=79174.
#5
@
5 years ago
Hi @ocean90! Happy to help. Looks like the easiest solution is to wait for 7.4.3 to be released. Thanks for looking into this :)
#8
@
5 years ago
- Milestone Awaiting Review deleted
- Resolution set to worksforme
- Status changed from new to closed
This fix was released in PHP 7.4.3 on Feb 20.
#9
@
5 years ago
Okay, the fix was initiated but users who were already registered with a space in their name still get a broken forgot password URL and users with spaces can still be registered. Seems like it has not been fixed.
Wordpress should offer an option (or even make it mandatory) that users not be allowed to be registered with a space.
Unsure if this should be fixed in WP core or in PHP. Looks like a related ticket is in progress on the PHP-side at https://bugs.php.net/bug.php?id=79174