From 6a8a83ea0903c48b3918bc437acbad2a91afb69a Mon Sep 17 00:00:00 2001 From: TimothyBlynJacobs Date: Sun, 24 Jan 2021 02:57:59 +0000 Subject: [PATCH] App Passwords: Extract Basic Auth check into a reusable filterable function. In [49752] a check was added to prevent creating new Application Passwords if Basic Auth credentials were detected to prevent conflicts. This check takes place in WP-Admin, though a conflict would only arise if Basic Auth was used on the website's front-end. This commit extracts the Basic Auth check into a reusable function, `wp_is_site_protected_by_basic_auth()`, which can be adjusted using a filter of the same name. This way, a site that uses Basic Auth to protect WP-Admin can still use the Application Passwords feature. In the future, instead of requiring the use of a filter, WordPress could make a loopback request and check for a `WWW-Authenticate` header to make this detection more robust out of the box. Props SeBsZ, archon810, aaroncampbell, ocean90, SergeyBiryukov, TimothyBlynJacobs. Fixes #52066. Built from https://develop.svn.wordpress.org/trunk@50006 git-svn-id: http://core.svn.wordpress.org/trunk@49707 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-admin/authorize-application.php | 2 +- wp-admin/user-edit.php | 2 +- wp-includes/load.php | 43 ++++++++++++++++++++++++++++++ wp-includes/version.php | 2 +- 4 files changed, 46 insertions(+), 3 deletions(-) diff --git a/wp-admin/authorize-application.php b/wp-admin/authorize-application.php index 294d4fe10e..94327b05b7 100644 --- a/wp-admin/authorize-application.php +++ b/wp-admin/authorize-application.php @@ -88,7 +88,7 @@ if ( is_wp_error( $is_valid ) ) { ); } -if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] ) ) { +if ( wp_is_site_protected_by_basic_auth( 'front' ) ) { wp_die( __( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ), __( 'Cannot Authorize Application' ), diff --git a/wp-admin/user-edit.php b/wp-admin/user-edit.php index 4177288547..b09f14fac5 100644 --- a/wp-admin/user-edit.php +++ b/wp-admin/user-edit.php @@ -739,7 +739,7 @@ endif; } } - if ( empty( $_SERVER['PHP_AUTH_USER'] ) && empty( $_SERVER['PHP_AUTH_PW'] ) ) { + if ( ! wp_is_site_protected_by_basic_auth( 'front' ) ) { ?>
diff --git a/wp-includes/load.php b/wp-includes/load.php index 6bd7614ecd..15feeeaf3c 100644 --- a/wp-includes/load.php +++ b/wp-includes/load.php @@ -1685,3 +1685,46 @@ function wp_is_xml_request() { return false; } + +/** + * Checks if this site is protected by HTTP Basic Auth. + * + * At the moment, this merely checks for the present of Basic Auth credentials. Therefore, calling this function + * with a context different from the current context may give inaccurate results. In a future release, this + * evaluation may be made more robust. + * + * Currently, this is only used by Application Passwords to prevent a conflict since it also utilizes Basic Auth. + * + * @since 5.6.1 + * + * @global string $pagenow The current page. + * + * @param string $context The context to check for protection. Accepts 'login', 'admin', and 'front'. Defaults to the current context. + * + * @return bool + */ +function wp_is_site_protected_by_basic_auth( $context = '' ) { + global $pagenow; + + if ( ! $context ) { + if ( 'wp-login.php' === $pagenow ) { + $context = 'login'; + } elseif ( is_admin() ) { + $context = 'admin'; + } else { + $context = 'front'; + } + } + + $is_protected = ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] ); + + /** + * Filters whether a site is protected by HTTP Basic Auth. + * + * @since 5.6.1 + * + * @param bool $is_protected Whether the site is protected by Basic Auth. + * @param string $context The context to check for protection. One of 'login', 'admin', or 'front'. + */ + return apply_filters( 'wp_is_site_protected_by_basic_auth', $is_protected, $context ); +} diff --git a/wp-includes/version.php b/wp-includes/version.php index 45113c792d..bbecd23be8 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.7-alpha-50005'; +$wp_version = '5.7-alpha-50006'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.