App Passwords: Prevent conflicts when Basic Auth is already used by the site.

Application Passwords uses Basic Authentication to transfer authentication details. If the site is already using Basic Auth, for instance to implement a private staging environment, then the REST API will treat this as an authentication attempt and would end up generating an error for any REST API request. Now, Application Password authentication will only be attempted if Application Passwords is in use by a site. This is flagged by setting an option whenever an Application Password is created. An upgrade routine is added to set this option if any App Passwords already exist. Lastly, creating an Application Password will be prevented if the site appears to already be using Basic Authentication. Props chexwarrior, georgestephanis, adamsilverstein, helen, Clorith, marybaum, TimothyBlynJacobs. Reviewed by TimothyBlynJacobs, helen. Merges [49752] to the 5.6 branch. Fixes #51939. Built from https://develop.svn.wordpress.org/branches/5.6@49754 git-svn-id: http://core.svn.wordpress.org/branches/5.6@49477 1a063a9b-81f0-0310-95a4-ce76da25c4cd
2020-12-04 21:48:03 +00:00 · 2020-12-04 21:48:03 +00:00 · 1fc7b75913
parent cb323ada27
commit 1fc7b75913
6 changed files with 85 additions and 23 deletions
--- a/wp-admin/authorize-application.php
+++ b/wp-admin/authorize-application.php
@ -88,6 +88,18 @@ if ( is_wp_error( $is_valid ) ) {
 	);
 }

+if ( ! empty( $_SERVER['PHP_AUTH_USER'] ) || ! empty( $_SERVER['PHP_AUTH_PW'] ) ) {
+	wp_die(
+		__( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ),
+		__( 'Cannot Authorize Application' ),
+		array(
+			'response'  => 501,
+			'link_text' => __( 'Go Back' ),
+			'link_url'  => $reject_url ? add_query_arg( 'error', 'disabled', $reject_url ) : admin_url(),
+		)
+	);
+}
+
 if ( ! wp_is_application_passwords_available_for_user( $user ) ) {
 	if ( wp_is_application_passwords_available() ) {
 		$message = __( 'Application passwords are not available for your account. Please contact the site administrator for assistance.' );
--- a/wp-admin/includes/upgrade.php
+++ b/wp-admin/includes/upgrade.php
@ -874,7 +874,7 @@ function upgrade_all() {
 		upgrade_550();
 	}

-	if ( $wp_current_db_version < 49735 ) {
+	if ( $wp_current_db_version < 49752 ) {
 		upgrade_560();
 	}

@ -2278,6 +2278,19 @@ function upgrade_560() {
 	if ( $wp_current_db_version < 49735 ) {
 		delete_transient( 'dirsize_cache' );
 	}
+
+	if ( $wp_current_db_version < 49752 ) {
+		$results = $wpdb->get_results(
+			$wpdb->prepare(
+				"SELECT 1 FROM {$wpdb->usermeta} WHERE meta_key = %s LIMIT 1",
+				WP_Application_Passwords::USERMETA_KEY_APPLICATION_PASSWORDS
+			)
+		);
+
+		if ( ! empty( $results ) ) {
+			update_site_option( WP_Application_Passwords::OPTION_KEY_IN_USE, 1 );
+		}
+	}
 }

 /**
--- a/wp-admin/user-edit.php
+++ b/wp-admin/user-edit.php
@ -738,27 +738,34 @@ endif;
 					<?php
 				}
 			}
-			?>
-		<div class="create-application-password form-wrap">
-			<div class="form-field">
-				<label for="new_application_password_name"><?php _e( 'New Application Password Name' ); ?></label>
-				<input type="text" size="30" id="new_application_password_name" name="new_application_password_name" placeholder="<?php esc_attr_e( 'WordPress App on My Phone' ); ?>" class="input" aria-required="true" aria-describedby="new_application_password_name_desc" />
-				<p class="description" id="new_application_password_name_desc"><?php _e( 'Required to create an Application Password, but not to update the user.' ); ?></p>
+
+			if ( empty( $_SERVER['PHP_AUTH_USER'] ) && empty( $_SERVER['PHP_AUTH_PW'] ) ) {
+				?>
+			<div class="create-application-password form-wrap">
+				<div class="form-field">
+					<label for="new_application_password_name"><?php _e( 'New Application Password Name' ); ?></label>
+					<input type="text" size="30" id="new_application_password_name" name="new_application_password_name" placeholder="<?php esc_attr_e( 'WordPress App on My Phone' ); ?>" class="input" aria-required="true" aria-describedby="new_application_password_name_desc" />
+					<p class="description" id="new_application_password_name_desc"><?php _e( 'Required to create an Application Password, but not to update the user.' ); ?></p>
+				</div>
+
+				<?php
+				/**
+				 * Fires in the create Application Passwords form.
+				 *
+				 * @since 5.6.0
+				 *
+				 * @param WP_User $profileuser The current WP_User object.
+				 */
+				do_action( 'wp_create_application_password_form', $profileuser );
+				?>
+
+				<?php submit_button( __( 'Add New Application Password' ), 'secondary', 'do_new_application_password' ); ?>
 			</div>
-
-			<?php
-			/**
-			 * Fires in the create Application Passwords form.
-			 *
-			 * @since 5.6.0
-			 *
-			 * @param WP_User $profileuser The current WP_User object.
-			 */
-			do_action( 'wp_create_application_password_form', $profileuser );
-			?>
-
-			<?php submit_button( __( 'Add New Application Password' ), 'secondary', 'do_new_application_password' ); ?>
-		</div>
+		<?php } else { ?>
+			<div class="notice notice-error inline">
+				<p><?php _e( 'Your website appears to use Basic Authentication, which is not currently compatible with Application Passwords.' ); ?></p>
+			</div>
+		<?php } ?>

 		<div class="application-passwords-list-table-wrapper">
 			<?php
--- a/wp-includes/class-wp-application-passwords.php
+++ b/wp-includes/class-wp-application-passwords.php
@ -22,6 +22,15 @@ class WP_Application_Passwords {
 	 */
 	const USERMETA_KEY_APPLICATION_PASSWORDS = '_application_passwords';

+	/**
+	 * The option name used to store whether application passwords is in use.
+	 *
+	 * @since 5.6.0
+	 *
+	 * @type string
+	 */
+	const OPTION_KEY_IN_USE = 'using_application_passwords';
+
 	/**
 	 * The generated application password length.
 	 *
@ -31,6 +40,19 @@ class WP_Application_Passwords {
 	 */
 	const PW_LENGTH = 24;

+	/**
+	 * Checks if Application Passwords are being used by the site.
+	 *
+	 * This returns true if at least one App Password has ever been created.
+	 *
+	 * @since 5.6.0
+	 *
+	 * @return bool
+	 */
+	public static function is_in_use() {
+		return (bool) get_site_option( self::OPTION_KEY_IN_USE );
+	}
+
 	/**
 	 * Creates a new application password.
 	 *
@ -67,6 +89,10 @@ class WP_Application_Passwords {
 			return new WP_Error( 'db_error', __( 'Could not save application password.' ) );
 		}

+		if ( ! get_site_option( self::OPTION_KEY_IN_USE ) ) {
+			update_site_option( self::OPTION_KEY_IN_USE, true );
+		}
+
 		/**
 		 * Fires when an application password is created.
 		 *
--- a/wp-includes/user.php
+++ b/wp-includes/user.php
@ -313,6 +313,10 @@ function wp_authenticate_application_password( $input_user, $username, $password
 		return $input_user;
 	}

+	if ( ! WP_Application_Passwords::is_in_use() ) {
+		return $input_user;
+	}
+
 	$is_api_request = ( ( defined( 'XMLRPC_REQUEST' ) && XMLRPC_REQUEST ) || ( defined( 'REST_REQUEST' ) && REST_REQUEST ) );

 	/**
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@ -13,14 +13,14 @@
 *
 * @global string $wp_version
 */
-$wp_version = '5.6-RC3-49753';
+$wp_version = '5.6-RC3-49754';

 /**
 * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.
 *
 * @global int $wp_db_version
 */
-$wp_db_version = 49735;
+$wp_db_version = 49752;

 /**
 * Holds the TinyMCE version.