[wp-trac] [WordPress Trac] #53329: Empty Authorization header brings down site in wp-includes/rest-api/endpoints/class-wp-rest-attachments-controller.php

[WordPress Trac]

#53329: Empty Authorization header brings down site in wp-includes/rest-
api/endpoints/class-wp-rest-attachments-controller.php
--------------------------+------------------------------
 Reporter:  rosandiford   |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Awaiting Review
Component:  REST API      |     Version:  5.7.2
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+------------------------------
Description changed by sabernhardt:

Old description:

> I really don't know why this happened - just reporting in case this is a
> wordpress software issue.
>
> A look I work with went down. Debugging showed this was because requests
> were made with an empty Authorization header (empty string).
>
> If the Authorization header is -set- which is was, wp-includes/rest-
> api/endpoints/class-wp-rest-attachments-controller.php tries to call a
> function with the name of it's value.
>
> This leads to an error, unknown function () when it is an empty string.
>
> I don't know why all the requests to this site had an empty authorization
> header - whether this is a server issue or not.
>
> I had to work around this issue with a code change, ignore an
> Authorization header with no value
>
> if(isset($_HEADERS['Authorization']))
> to
> if(isset($_HEADERS['Authorization']) && $_HEADERS['Authorization'] !==
> "")
>
> Any ideas? WordPress issue? server issue? Good idea to implement this
> anyway as a safeguard?
>
> Apologies if I have missed anything, short of time.
>
> Occurs without plugins, and with multiple themes.

New description:

 I really don't know why this happened - just reporting in case this is a
 WordPress software issue.

 A look I work with went down. Debugging showed this was because requests
 were made with an empty Authorization header (empty string).

 If the Authorization header is -set- which is was, wp-includes/rest-
 api/endpoints/class-wp-rest-attachments-controller.php tries to call a
 function with the name of it's value.

 This leads to an error, unknown function () when it is an empty string.

 I don't know why all the requests to this site had an empty authorization
 header - whether this is a server issue or not.

 I had to work around this issue with a code change, ignore an
 Authorization header with no value

 `if(isset($_HEADERS['Authorization']))`
 to
 `if(isset($_HEADERS['Authorization']) && $_HEADERS['Authorization'] !==
 "")`

 Any ideas? WordPress issue? server issue? Good idea to implement this
 anyway as a safeguard?

 Apologies if I have missed anything, short of time.

 Occurs without plugins, and with multiple themes.

--

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/53329#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform