WordPress.org

Make WordPress Core

Opened 8 weeks ago

Closed 8 weeks ago

Last modified 8 weeks ago

#51495 closed defect (bug) (fixed)

The code in mod_rewrite_rules() to write to .htaccess is wrong.

Reported by: nendeb55 Owned by: SergeyBiryukov
Milestone: 5.6 Priority: normal
Severity: critical Version: 5.6
Component: Rewrite Rules Keywords: has-patch
Focuses: rest-api Cc:

Description (last modified by SergeyBiryukov)

Code in the rewrite_rules function

<?php
$rules .= 'RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]';

1.There are no newlines, so the next line comes after it.
1.The .* - in is not ^(.*) - in RewriteRule.

Change History (10)

#1 @johnbillion
8 weeks ago

  • Focuses rest-api added
  • Keywords needs-testing added
  • Milestone changed from Awaiting Review to 5.6

Thanks for the report.

This change was introduced in [49109] / #42790. @georgestephanis @timothyblynjacobs can you take a look?

Last edited 8 weeks ago by johnbillion (previous) (diff)

#2 @johnbillion
8 weeks ago

  • Keywords needs-patch added; needs-testing removed

#3 @georgestephanis
8 weeks ago

Thanks for the report! I'll get a pr/patch together this afternoon/evening. Kid wrangling solo atm. :)

This ticket was mentioned in PR #584 on WordPress/wordpress-develop by georgestephanis.


8 weeks ago

  • Keywords has-patch added; needs-patch removed

I didn't add the suggested parentheses, as I don't believe they are necessary to do the regex capture, and the prior working art for this seemed to run perfectly without them -- https://github.com/WordPress/application-passwords/wiki/Basic-Authorization-Header----Missing

Trac ticket: https://core.trac.wordpress.org/ticket/51495

This ticket was mentioned in Slack in #core-passwords by georgestephanis. View the logs.


8 weeks ago

#6 @georgestephanis
8 weeks ago

updated the pr after a minor oops in the first pass, should be a-ok now. :)

I skipped the parentheses as noted in the PR as we're not using them for capture so they shouldn't be needed here.

#7 @SergeyBiryukov
8 weeks ago

  • Description modified (diff)

#8 @SergeyBiryukov
8 weeks ago

  • Summary changed from The code in mod_rewrite_rules() to write to .htaccsess is wrong. to The code in mod_rewrite_rules() to write to .htaccess is wrong.

#9 @SergeyBiryukov
8 weeks ago

  • Owner set to SergeyBiryukov
  • Resolution set to fixed
  • Status changed from new to closed

In 49131:

Rewrite Rules: Add missing newline to the HTTP_AUTHORIZATION rewrite rule.

Follow-up to [49109].

Props nendeb55, georgestephanis, johnbillion.
Fixes #51495. See #42790.

#10 @prbot
8 weeks ago

TimothyBJacobs commented on PR #584:

Merged in 405a561.

Note: See TracTickets for help on using tickets.