WordPress.org

Make WordPress Core

Opened 12 months ago

Last modified 4 months ago

#52003 closed defect (bug)

Undefined index: PHP_AUTH_PW /wp-includes/user.php on line 469 — at Version 1

Reported by: MadtownLems Owned by:
Milestone: 5.6.1 Priority: normal
Severity: normal Version: 5.6
Component: Application Passwords Keywords: good-first-bug has-patch has-unit-tests fixed-major
Focuses: Cc:

Description (last modified by SergeyBiryukov)

wp_validate_application_password only checks for the existence of $_SERVER['PHP_AUTH_USER'] before calling wp_authenticate_application_password with both $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'].

In our environment (using Shibboleth-powered Single Sign-on), $_SERVER['PHP_AUTH_USER'] is already set, but $_SERVER['PHP_AUTH_PW'] is not defined.

I believe that this section:

// Check that we're trying to authenticate
if ( ! isset( $_SERVER['PHP_AUTH_USER'] ) ) {
	return $input_user;
}

should likely be extended to confirm the presence of both variables before calling wp_authenticate_application_password.

(Of course, I'm also now worried about what other problems we'll run into using PHP_AUTH_USER the way we are, but that's for another day!)

Change History (1)

#1 @SergeyBiryukov
12 months ago

  • Description modified (diff)
Note: See TracTickets for help on using tickets.