[wp-trac] [WordPress Trac] #55870: WP App Passwords Should be URL Decoded
WordPress Trac
noreply at wordpress.org
Sun May 29 04:05:15 UTC 2022
#55870: WP App Passwords Should be URL Decoded
-----------------------------------+-----------------------------
Reporter: mrahmadawais | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Application Passwords | Version: trunk
Severity: normal | Keywords:
Focuses: rest-api |
-----------------------------------+-----------------------------
Using OAuth 2 based. authentication IETF recommends for [client
id/secrets](https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1)
URL [encoded](https://datatracker.ietf.org/doc/html/rfc6749#appendix-B)
forms.
Which means, by using some node OpenID clients, we always get
`Authorization: Basic urlSafeEncodedBase64String('user:pass')`.
This fails to authenticate as [WordPress doesn't
decode](https://github.com/WordPress/wordpress-
develop/blob/0a6c37ceb0a86bebf0b287ac12d200e67bbf948f/src/wp-
includes/user.php#L474) the `user` and `pass` which could also be clientId
and clientSecret in OAuth2.
This could be solved by using `urldecode( string $str )`.
BEFORE
{{{#!php
<?PHP
$authenticated = wp_authenticate_application_password( null,
$_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] );
}}}
AFTER
{{{#!php
<?php
$authenticated = wp_authenticate_application_password( null,
urldecode($_SERVER['PHP_AUTH_USER']), urldecode($_SERVER['PHP_AUTH_PW'])
);
}}}
Would you folks be up for a patch for this?
--
Ticket URL: <https://core.trac.wordpress.org/ticket/55870>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list