[wp-trac] [WordPress Trac] #55870: WP App Passwords Should be URL Decoded

WordPress Trac noreply at wordpress.org
Sun May 29 04:05:15 UTC 2022

#55870: WP App Passwords Should be URL Decoded
 Reporter:  mrahmadawais           |      Owner:  (none)
     Type:  defect (bug)           |     Status:  new
 Priority:  normal                 |  Milestone:  Awaiting Review
Component:  Application Passwords  |    Version:  trunk
 Severity:  normal                 |   Keywords:
  Focuses:  rest-api               |
 Using OAuth 2 based. authentication IETF recommends for [client
 URL [encoded](https://datatracker.ietf.org/doc/html/rfc6749#appendix-B)

 Which means, by using some node OpenID clients, we always get
 `Authorization: Basic urlSafeEncodedBase64String('user:pass')`.

 This fails to authenticate as [WordPress doesn't
 includes/user.php#L474) the `user` and `pass` which could also be clientId
 and clientSecret in OAuth2.

 This could be solved by using `urldecode( string $str )`.


 $authenticated = wp_authenticate_application_password( null,


 $authenticated = wp_authenticate_application_password( null,
 urldecode($_SERVER['PHP_AUTH_USER']), urldecode($_SERVER['PHP_AUTH_PW'])

 Would you folks be up for a patch for this?

Ticket URL: <https://core.trac.wordpress.org/ticket/55870>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list