[wp-trac] [WordPress Trac] #55870: WP App Passwords Should be URL Decoded

WordPress Trac noreply at wordpress.org
Sun May 29 19:25:28 UTC 2022


#55870: WP App Passwords Should be URL Decoded
-----------------------------------+------------------------------
 Reporter:  mrahmadawais           |       Owner:  (none)
     Type:  defect (bug)           |      Status:  new
 Priority:  normal                 |   Milestone:  Awaiting Review
Component:  Application Passwords  |     Version:  5.6
 Severity:  normal                 |  Resolution:
 Keywords:  reporter-feedback      |     Focuses:  rest-api
-----------------------------------+------------------------------
Changes (by TimothyBlynJacobs):

 * keywords:   => reporter-feedback
 * version:  trunk => 5.6


Old description:

> Using OAuth 2 based. authentication IETF recommends for [client
> id/secrets](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1)
> URL [encoded](https://datatracker.ietf.org/doc/html/rfc6749#appendix-B)
> forms.
>
> Which means, by using some node OpenID clients, we always get
> `Authorization: Basic urlSafeEncodedBase64String('user:pass')`.
>
> This fails to authenticate as [WordPress doesn't
> decode](https://github.com/WordPress/wordpress-
> develop/blob/0a6c37ceb0a86bebf0b287ac12d200e67bbf948f/src/wp-
> includes/user.php#L474) the `user` and `pass` which could also be
> clientId and clientSecret in OAuth2.
>

> This could be solved by using `urldecode( string $str )`.
>
> BEFORE
>
> {{{#!php
> <?PHP
> $authenticated = wp_authenticate_application_password( null,
> $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] );
> }}}
>

> AFTER
>
> {{{#!php
> <?php
> $authenticated = wp_authenticate_application_password( null,
> urldecode($_SERVER['PHP_AUTH_USER']), urldecode($_SERVER['PHP_AUTH_PW'])
> );
> }}}
>

> Would you folks be up for a patch for this?

New description:

 Using OAuth 2 based. authentication IETF recommends for
 [https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 client
 id/secrets] URL [https://datatracker.ietf.org/doc/html/rfc6749#appendix-B
 encoded] forms.

 Which means, by using some node OpenID clients, we always get
 `Authorization: Basic urlSafeEncodedBase64String('user:pass')`.

 This fails to authenticate as [https://github.com/WordPress/wordpress-
 develop/blob/0a6c37ceb0a86bebf0b287ac12d200e67bbf948f/src/wp-
 includes/user.php#L474 WordPress doesn't decode] the `user` and `pass`
 which could also be clientId and clientSecret in OAuth2.


 This could be solved by using `urldecode( string $str )`.

 BEFORE

 {{{#!php
 <?PHP
 $authenticated = wp_authenticate_application_password( null,
 $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] );
 }}}


 AFTER

 {{{#!php
 <?php
 $authenticated = wp_authenticate_application_password( null,
 urldecode($_SERVER['PHP_AUTH_USER']), urldecode($_SERVER['PHP_AUTH_PW'])
 );
 }}}


 Would you folks be up for a patch for this?

--

Comment:

 Hi @mrahmadawais,

 Thanks for the ticket!

 I'm not sure why an OpenID client would be used with App Passwords. One of
 the benefits of App Passwords using Basic Authentication is that it is
 built in to many HTTP clients by simply passing a `username` and
 `password` field. For instance ''Axios'' and ''Guzzle'' both have an
 `auth` field.

 The OAuth specification requires following that encoding process. However,
 Application Passwords is not OAuth, so I'm not sure why we'd be following
 the OAuth specification here.

 If we did want to match the OAuth specification, changing the encoding
 format could potentially cause a backward compatibility break. Though it
 would be unlikely due to the selection of characters that WordPress Core
 generates.

 All that being said, I'm not sure what the practical benefit here is. If
 the values passed to App Passwords are an OAuth `client_id` and
 `client_secret` they won't be successfully authenticated by
 `wp_authenticate_application_password` regardless of the encoding method
 chosen because they aren't App Passwords.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/55870#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list