Get WordPress

Make WordPress Core

Changeset 49754

Timestamp:
12/04/2020 09:46:42 PM (4 years ago)
Author:
helen
Message:

App Passwords: Prevent conflicts when Basic Auth is already used by the site.

Application Passwords uses Basic Authentication to transfer authentication details. If the site is already using Basic Auth, for instance to implement a private staging environment, then the REST API will treat this as an authentication attempt and would end up generating an error for any REST API request.

Now, Application Password authentication will only be attempted if Application Passwords is in use by a site. This is flagged by setting an option whenever an Application Password is created. An upgrade routine is added to set this option if any App Passwords already exist.

Lastly, creating an Application Password will be prevented if the site appears to already be using Basic Authentication.

Props chexwarrior, georgestephanis, adamsilverstein, helen, Clorith, marybaum, TimothyBlynJacobs.
Reviewed by TimothyBlynJacobs, helen.
Merges [49752] to the 5.6 branch.
Fixes #51939.

Location:
branches/5.6
Files:
9 edited

Legend:

Unmodified
Added
Removed

  • branches/5.6

  • branches/5.6/src/wp-admin/authorize-application.php

    r49617 r49754  
    8686        __( 'The Authorize Application request is not allowed.' ) . ' ' . implode( ' ', $is_valid->get_error_messages() ),
    8787        __( 'Cannot Authorize Application' )
     88
     89
     90
     91
     92
     93
     94
     95
     96
     97
     98
     99
    88100    );
    89101}

  • branches/5.6/src/wp-admin/includes/upgrade.php

    r49745 r49754  
    875875    }
    876876
    877     if ( $wp_current_db_version < 49735 ) {
     877    if ( $wp_current_db_version < 497 ) {
    878878        upgrade_560();
    879879    }
     
    22792279        delete_transient( 'dirsize_cache' );
    22802280    }
     2281
     2282
     2283
     2284
     2285
     2286
     2287
     2288
     2289
     2290
     2291
     2292
     2293
    22812294}
    22822295

  • branches/5.6/src/wp-admin/user-edit.php

    r49573 r49754  
    739739                }
    740740            }
    741             ?>
    742         <div class="create-application-password form-wrap">
    743             <div class="form-field">
    744                 <label for="new_application_password_name"><?php _e( 'New Application Password Name' ); ?></label>
    745                 <input type="text" size="30" id="new_application_password_name" name="new_application_password_name" placeholder="<?php esc_attr_e( 'WordPress App on My Phone' ); ?>" class="input" aria-required="true" aria-describedby="new_application_password_name_desc" />
    746                 <p class="description" id="new_application_password_name_desc"><?php _e( 'Required to create an Application Password, but not to update the user.' ); ?></p>
     741
     742            if ( empty( $_SERVER['PHP_AUTH_USER'] ) && empty( $_SERVER['PHP_AUTH_PW'] ) ) {
     743                ?>
     744            <div class="create-application-password form-wrap">
     745                <div class="form-field">
     746                    <label for="new_application_password_name"><?php _e( 'New Application Password Name' ); ?></label>
     747                    <input type="text" size="30" id="new_application_password_name" name="new_application_password_name" placeholder="<?php esc_attr_e( 'WordPress App on My Phone' ); ?>" class="input" aria-required="true" aria-describedby="new_application_password_name_desc" />
     748                    <p class="description" id="new_application_password_name_desc"><?php _e( 'Required to create an Application Password, but not to update the user.' ); ?></p>
     749                </div>
     750
     751                <?php
     752                /**
     753                 * Fires in the create Application Passwords form.
     754                 *
     755                 * @since 5.6.0
     756                 *
     757                 * @param WP_User $profileuser The current WP_User object.
     758                 */
     759                do_action( 'wp_create_application_password_form', $profileuser );
     760                ?>
     761
     762                <?php submit_button( __( 'Add New Application Password' ), 'secondary', 'do_new_application_password' ); ?>
    747763            </div>
    748 
    749             <?php
    750             /**
    751              * Fires in the create Application Passwords form.
    752              *
    753              * @since 5.6.0
    754              *
    755              * @param WP_User $profileuser The current WP_User object.
    756              */
    757             do_action( 'wp_create_application_password_form', $profileuser );
    758             ?>
    759 
    760             <?php submit_button( __( 'Add New Application Password' ), 'secondary', 'do_new_application_password' ); ?>
    761         </div>
     764        <?php } else { ?>
     765            <div class="notice notice-error inline">
     766                <p><?php _e( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ); ?></p>
     767            </div>
     768        <?php } ?>
    762769
    763770        <div class="application-passwords-list-table-wrapper">

  • branches/5.6/src/wp-includes/class-wp-application-passwords.php

    r49740 r49754  
    2424
    2525    /**
     26
     27
     28
     29
     30
     31
     32
     33
     34
    2635     * The generated application password length.
    2736     *
     
    3140     */
    3241    const PW_LENGTH = 24;
     42
     43
     44
     45
     46
     47
     48
     49
     50
     51
     52
     53
     54
    3355
    3456    /**
     
    6688        if ( ! $saved ) {
    6789            return new WP_Error( 'db_error', __( 'Could not save application password.' ) );
     90
     91
     92
     93
    6894        }
    6995

  • branches/5.6/src/wp-includes/user.php

    r49627 r49754  
    311311function wp_authenticate_application_password( $input_user, $username, $password ) {
    312312    if ( $input_user instanceof WP_User ) {
     313
     314
     315
     316
    313317        return $input_user;
    314318    }

  • branches/5.6/src/wp-includes/version.php

    r49749 r49754  
    2121 * @global int $wp_db_version
    2222 */
    23 $wp_db_version = 49735;
     23$wp_db_version = 497;
    2424
    2525/**

  • branches/5.6/tests/phpunit/tests/auth.php

    r49617 r49754  
    3838        $this->user = clone self::$_user;
    3939        wp_set_current_user( self::$user_id );
     40
    4041    }
    4142
     
    605606        $this->assertSame( self::$user_id, $user->ID );
    606607    }
     608
     609
     610
     611
     612
     613
     614
     615
     616
     617
    607618}

  • branches/5.6/tests/phpunit/tests/rest-api/rest-application-passwords-controller.php

    r49617 r49754  
    406406
    407407    /**
     408
     409
     410
     411
     412
     413
     414
     415
     416
     417
     418
     419
     420
     421
     422
     423
    408424     * @ticket 42790
    409425     */
Note: See TracChangeset for help on using the changeset viewer.