[wp-trac] [WordPress Trac] #49395: User authentication broken for usernames that include spaces (PHP bug #78929)
WordPress Trac
noreply at wordpress.org
Mon Feb 10 19:38:15 UTC 2020
#49395: User authentication broken for usernames that include spaces (PHP bug
#78929)
------------------------------------+-----------------------------
Reporter: codeguy | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Login and Registration | Version: 5.3.2
Severity: critical | Keywords:
Focuses: |
------------------------------------+-----------------------------
PHP 7.4.2, released on January 20, 2020), includes a change such that PHP
does NOT decode plus signs in cookie values when reading those values from
$_COOKIE. See https://bugs.php.net/bug.php?id=78929 and
https://www.php.net/ChangeLog-7.php.
When a WordPress user has a space in her username, that space is url
encoded to a plus sign by setcookie() when written to the HTTP header
during POST /wp-login.php. The plus sign is not decoded back to a space by
PHP, and prevents WordPress from properly finding and authenticating the
user. The affected code is in wp-includes/pluggable.php:788 and in the
wp_parse_auth_cookie() function.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/49395>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list