[wp-trac] [WordPress Trac] #52066: Application Passwords are unusable in combination with password protected /wp-admin
WordPress Trac
noreply at wordpress.org
Thu Jan 28 00:27:27 UTC 2021
#52066: Application Passwords are unusable in combination with password protected
/wp-admin
------------------------------------------+--------------------------------
Reporter: SeBsZ | Owner: TimothyBlynJacobs
Type: defect (bug) | Status: closed
Priority: normal | Milestone: 5.6.1
Component: Application Passwords | Version: 5.6
Severity: major | Resolution: fixed
Keywords: has-patch commit fixed-major | Focuses:
------------------------------------------+--------------------------------
Changes (by whyisjake):
* status: reopened => closed
* resolution: => fixed
Comment:
In [changeset:"50044" 50044]:
{{{
#!CommitTicketReference repository="" revision="50044"
App Passwords: Extract Basic Auth check into a reusable filterable
function.
In [49752] a check was added to prevent creating new Application Passwords
if Basic Auth credentials were detected to prevent conflicts. This check
takes place in WP-Admin, though a conflict would only arise if Basic Auth
was used on the website's front-end.
This commit extracts the Basic Auth check into a reusable function,
wp_is_site_protected_by_basic_auth(), which can be adjusted using a filter
of the same name. This way, a site that uses Basic Auth to protect WP-
Admin can still use the Application Passwords feature.
In the future, instead of requiring the use of a filter, WordPress could
make a loopback request and check for a WWW-Authenticate header to make
this detection more robust out of the box.
This brings the changes from [50006] to the 5.6 branch.
Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov,
TimothyBlynJacobs.
Fixes #52066.
}}}
--
Ticket URL: <https://core.trac.wordpress.org/ticket/52066#comment:15>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list