Changeset 56804

Timestamp:

10/09/2023 02:47:57 PM (10 months ago)

Author:

kadamwhite

Message:

REST API: Correct parsing of password from Authorization header when processing Application Password credentials.

Exit early when parsing Application Password credentials if Authorization header value does not contain at least one colon. The Authorization Basic header must use a colon to separate the username and password components per RFC 7617, so a username-only string is malformed and should not be processed.

Split Authorization header only on the first colon, properly handling passwords containing colons.

Resolves PHP 8.0 warning when list() was called on an exploded credentials array containing only one element.

Props kalpeshh, shooper, sc0ttkclark, jrf, mukesh27, oglekler, nicolefurlan.
Fixes #57512.

Location:

trunk

Files:

• src/wp-includes/load.php (modified) (1 diff)
• tests/phpunit/tests/auth.php (modified) (1 diff)

trunk/src/wp-includes/load.php

@@ -127 +127 @@
     $userpass = base64_decode( $token );
 
-    list( $user, $pass ) = explode( ':', $userpass );
+    // There must be at least one colon in the string.
+    if ( ! str_contains( $userpass, ':' ) ) {
+        return;
+    }
+
+    list( $user, $pass ) = explode( ':', $userpass, 2 );
 
     // Now shove them in the proper keys where we're expecting later on.

trunk/tests/phpunit/tests/auth.php

@@ -845 +845 @@
         );
     }
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
 }