From 902e3f6b8548bbcc19051a84d37cb7d2ad5a6874 Mon Sep 17 00:00:00 2001
From: Timothy Jacobs <timothyblynjacobs@git.wordpress.org>
Date: Sat, 2 Jan 2021 21:34:01 +0000
Subject: [PATCH] App Passwords: Only attempt auth if the username and password
 are set.

Previously, only the username was checked which caused a PHP warning in some server setups, for instance Shibboleth SSO, where the server only populates the `PHP_AUTH_USER` field.

Props MadtownLems, johnbillion, richard.tape, engahmeds3ed.
Fixes #52003.


git-svn-id: https://develop.svn.wordpress.org/trunk@49919 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/user.php     |  4 ++--
 tests/phpunit/tests/auth.php | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/user.php b/src/wp-includes/user.php
index b8275338c8..134258d4fe 100644
--- a/src/wp-includes/user.php
+++ b/src/wp-includes/user.php
@@ -462,8 +462,8 @@ function wp_validate_application_password( $input_user ) {
 		return $input_user;
 	}
 
-	// Check that we're trying to authenticate
-	if ( ! isset( $_SERVER['PHP_AUTH_USER'] ) ) {
+	// Both $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] must be set in order to attempt authentication.
+	if ( ! isset( $_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW'] ) ) {
 		return $input_user;
 	}
 
diff --git a/tests/phpunit/tests/auth.php b/tests/phpunit/tests/auth.php
index 147e078e18..84a68daa09 100644
--- a/tests/phpunit/tests/auth.php
+++ b/tests/phpunit/tests/auth.php
@@ -615,4 +615,21 @@ class Tests_Auth extends WP_UnitTestCase {
 		$authenticated = wp_authenticate_application_password( null, 'idonotexist', 'password' );
 		$this->assertNull( $authenticated );
 	}
+
+	/**
+	 * @ticket 52003
+	 *
+	 * @covers ::wp_validate_application_password
+	 */
+	public function test_application_passwords_does_not_attempt_auth_if_missing_password() {
+		WP_Application_Passwords::create_new_application_password( self::$user_id, array( 'name' => 'phpunit' ) );
+
+		add_filter( 'application_password_is_api_request', '__return_true' );
+		add_filter( 'wp_is_application_passwords_available', '__return_true' );
+
+		$_SERVER['PHP_AUTH_USER'] = self::$_user->user_login;
+		unset( $_SERVER['PHP_AUTH_PW'] );
+
+		$this->assertNull( wp_validate_application_password( null ) );
+	}
 }