Make WordPress Core

Opened 12 months ago

Last modified 4 months ago

#52003 closed defect (bug)

Undefined index: PHP_AUTH_PW /wp-includes/user.php on line 469 — at Initial Version

Reported by: MadtownLems Owned by:
Milestone: 5.6.1 Priority: normal
Severity: normal Version: 5.6
Component: Application Passwords Keywords: good-first-bug has-patch has-unit-tests fixed-major
Focuses: Cc:


wp_validate_application_password only checks for the existence of $_SERVERPHP_AUTH_USER? before calling wp_authenticate_application_password with both $_SERVERPHP_AUTH_USER? and $_SERVERPHP_AUTH_PW?.

In our environment (using Shibboleth-powered Single Sign-on), $_SERVERPHP_AUTH_USER? is already set, but $_SERVERPHP_AUTH_PW? is not defined.

I believe that this section:

Check that we're trying to authenticate
if ( ! isset( $_SERVERPHP_AUTH_USER? ) ) {

return $input_user;


should likely be extended to confirm the presence of both variables before calling wp_authenticate_application_password.

(Of course, I'm also now worried about what other problems we'll run into using PHP_AUTH_USER the way we are, but that's for another day!)

Change History (0)

Note: See TracTickets for help on using tickets.