From 7c14968e7e994ea8194f4c310b8a9d60192b769a Mon Sep 17 00:00:00 2001 From: "K. Adam White" Date: Mon, 9 Oct 2023 14:40:29 +0100 Subject: [PATCH 1/3] 57512: Commit tests from 57512_with_tests_2.diff (adjusts comment formatting). --- tests/phpunit/tests/auth.php | 42 ++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php index facd456dd0227..04da0a006836b 100644 --- a/tests/phpunit/tests/auth.php +++ b/tests/phpunit/tests/auth.php @@ -844,4 +844,46 @@ public function data_application_passwords_can_use_capability_checks_to_determin 'not allowed' => array( 'subscriber', false ), ); } + + /* + * @ticket 57512 + * @covers ::wp_populate_basic_auth_from_authorization_header + */ + public function tests_basic_http_authentication_with_username_and_password() { + // Header passed as "username:password". + $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU6cGFzc3dvcmQ='; + + wp_populate_basic_auth_from_authorization_header(); + + $this->assertSame($_SERVER['PHP_AUTH_USER'], 'username'); + $this->assertSame($_SERVER['PHP_AUTH_PW'], 'password'); + } + + /* + * @ticket 57512 + * @covers ::wp_populate_basic_auth_from_authorization_header + */ + public function tests_basic_http_authentication_with_username_only() { + // Malformed header passed as "username" with no password. + $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU='; + + wp_populate_basic_auth_from_authorization_header(); + + $this->assertArrayNotHasKey('PHP_AUTH_USER', $_SERVER); + $this->assertArrayNotHasKey('PHP_AUTH_PW', $_SERVER); + } + + /* + * @ticket 57512 + * @covers ::wp_populate_basic_auth_from_authorization_header + */ + public function tests_basic_http_authentication_with_more_than_2_parts() { + // Header passed as "username:pass:word" where password contains colon. + $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU6cGFzczp3b3Jk'; + + wp_populate_basic_auth_from_authorization_header(); + + $this->assertSame($_SERVER['PHP_AUTH_USER'], 'username'); + $this->assertSame($_SERVER['PHP_AUTH_PW'], 'pass:word'); + } } From 69c34467f5995105249b3945496f4b587c0696aa Mon Sep 17 00:00:00 2001 From: "K. Adam White" Date: Mon, 9 Oct 2023 15:03:41 +0100 Subject: [PATCH 2/3] 57512: Commit patch from 57512_with_tests_2.diff (adjusts comment formatting). --- src/wp-includes/load.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/wp-includes/load.php b/src/wp-includes/load.php index 77e17b3f8b877..520902cdd64ba 100644 --- a/src/wp-includes/load.php +++ b/src/wp-includes/load.php @@ -126,7 +126,12 @@ function wp_populate_basic_auth_from_authorization_header() { $token = substr( $header, 6 ); $userpass = base64_decode( $token ); - list( $user, $pass ) = explode( ':', $userpass ); + // There must be at least one colon in the string. + if ( ! str_contains( $userpass, ':' ) ) { + return; + } + + list( $user, $pass ) = explode( ':', $userpass, 2 ); // Now shove them in the proper keys where we're expecting later on. $_SERVER['PHP_AUTH_USER'] = $user; From d08be4613b4a50a93c215f3129da22facc28ede1 Mon Sep 17 00:00:00 2001 From: "K. Adam White" Date: Mon, 9 Oct 2023 15:21:50 +0100 Subject: [PATCH 3/3] 57512: Correct PHPCS errors and improve test name in 57512_with_tests_2.diff. --- tests/phpunit/tests/auth.php | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php index 04da0a006836b..8ab32d9f69639 100644 --- a/tests/phpunit/tests/auth.php +++ b/tests/phpunit/tests/auth.php @@ -855,8 +855,8 @@ public function tests_basic_http_authentication_with_username_and_password() { wp_populate_basic_auth_from_authorization_header(); - $this->assertSame($_SERVER['PHP_AUTH_USER'], 'username'); - $this->assertSame($_SERVER['PHP_AUTH_PW'], 'password'); + $this->assertSame( $_SERVER['PHP_AUTH_USER'], 'username' ); + $this->assertSame( $_SERVER['PHP_AUTH_PW'], 'password' ); } /* @@ -869,21 +869,21 @@ public function tests_basic_http_authentication_with_username_only() { wp_populate_basic_auth_from_authorization_header(); - $this->assertArrayNotHasKey('PHP_AUTH_USER', $_SERVER); - $this->assertArrayNotHasKey('PHP_AUTH_PW', $_SERVER); + $this->assertArrayNotHasKey( 'PHP_AUTH_USER', $_SERVER ); + $this->assertArrayNotHasKey( 'PHP_AUTH_PW', $_SERVER ); } /* * @ticket 57512 * @covers ::wp_populate_basic_auth_from_authorization_header */ - public function tests_basic_http_authentication_with_more_than_2_parts() { + public function tests_basic_http_authentication_with_colon_in_password() { // Header passed as "username:pass:word" where password contains colon. $_SERVER['HTTP_AUTHORIZATION'] = 'Basic dXNlcm5hbWU6cGFzczp3b3Jk'; wp_populate_basic_auth_from_authorization_header(); - $this->assertSame($_SERVER['PHP_AUTH_USER'], 'username'); - $this->assertSame($_SERVER['PHP_AUTH_PW'], 'pass:word'); + $this->assertSame( $_SERVER['PHP_AUTH_USER'], 'username' ); + $this->assertSame( $_SERVER['PHP_AUTH_PW'], 'pass:word' ); } }