[wp-trac] [WordPress Trac] #52003: Undefined index: PHP_AUTH_PW /wp-includes/user.php on line 469
WordPress Trac
noreply at wordpress.org
Wed Dec 9 20:27:33 UTC 2020
#52003: Undefined index: PHP_AUTH_PW /wp-includes/user.php on line 469
-----------------------------------+------------------------------
Reporter: MadtownLems | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version: 5.6
Severity: normal | Resolution:
Keywords: | Focuses:
-----------------------------------+------------------------------
Description changed by SergeyBiryukov:
Old description:
> wp_validate_application_password only checks for the existence of
> $_SERVER['PHP_AUTH_USER'] before calling
> wp_authenticate_application_password with both $_SERVER['PHP_AUTH_USER']
> and $_SERVER['PHP_AUTH_PW'].
>
> In our environment (using Shibboleth-powered Single Sign-on),
> $_SERVER['PHP_AUTH_USER'] is already set, but $_SERVER['PHP_AUTH_PW'] is
> not defined.
>
> I believe that this section:
>
> // Check that we're trying to authenticate
> if ( ! isset( $_SERVER['PHP_AUTH_USER'] ) ) {
> return $input_user;
> }
>
> should likely be extended to confirm the presence of both variables
> before calling wp_authenticate_application_password.
>
> (Of course, I'm also now worried about what other problems we'll run into
> using PHP_AUTH_USER the way we are, but that's for another day!)
New description:
wp_validate_application_password only checks for the existence of
`$_SERVER['PHP_AUTH_USER']` before calling
wp_authenticate_application_password with both `$_SERVER['PHP_AUTH_USER']`
and `$_SERVER['PHP_AUTH_PW']`.
In our environment (using Shibboleth-powered Single Sign-on),
`$_SERVER['PHP_AUTH_USER']` is already set, but `$_SERVER['PHP_AUTH_PW']`
is not defined.
I believe that this section:
{{{
// Check that we're trying to authenticate
if ( ! isset( $_SERVER['PHP_AUTH_USER'] ) ) {
return $input_user;
}
}}}
should likely be extended to confirm the presence of both variables before
calling wp_authenticate_application_password.
(Of course, I'm also now worried about what other problems we'll run into
using `PHP_AUTH_USER` the way we are, but that's for another day!)
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52003#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list