[wp-trac] [WordPress Trac] #53329: Empty Authorization header brings down site in wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php
WordPress Trac
noreply at wordpress.org
Thu Jun 3 17:30:00 UTC 2021
#53329: Empty Authorization header brings down site in wp-includes/rest-
api/endpoints/class-wp-rest-attachments-controller.php
--------------------------+-----------------------------
Reporter: rosandiford | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: REST API | Version: 5.7.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
I really don't know why this happened - just reporting in case this is a
wordpress software issue.
A look I work with went down. Debugging showed this was because requests
were made with an empty Authorization header (empty string).
If the Authorization header is -set- which is was, wp-includes/rest-
api/endpoints/class-wp-rest-attachments-controller.php tries to call a
function with the name of it's value.
This leads to an error, unknown function () when it is an empty string.
I don't know why all the requests to this site had an empty authorization
header - whether this is a server issue or not.
I had to work around this issue with a code change, ignore an
Authorization header with no value
if(isset($_HEADERS['Authorization']))
to
if(isset($_HEADERS['Authorization']) && $_HEADERS['Authorization'] !== "")
Any ideas? WordPress issue? server issue? Good idea to implement this
anyway as a safeguard?
Apologies if I have missed anything, short of time.
Occurs without plugins, and with multiple themes.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/53329>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list