wp_populate_basic_auth_from_authorization_header

The timeline below displays how wordpress function wp_populate_basic_auth_from_authorization_header has changed across different WordPress versions. If a version is not listed, refer to the next available version below.

WordPress Version: 6.4

/**
 * Populates the Basic Auth server details from the Authorization header.
 *
 * Some servers running in CGI or FastCGI mode don't pass the Authorization
 * header on to WordPress.  If it's been rewritten to the `HTTP_AUTHORIZATION` header,
 * fill in the proper $_SERVER variables instead.
 *
 * @since 5.6.0
 */
function wp_populate_basic_auth_from_authorization_header()
{
    // If we don't have anything to pull from, return early.
    if (!isset($_SERVER['HTTP_AUTHORIZATION']) && !isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
        return;
    }
    // If either PHP_AUTH key is already set, do nothing.
    if (isset($_SERVER['PHP_AUTH_USER']) || isset($_SERVER['PHP_AUTH_PW'])) {
        return;
    }
    // From our prior conditional, one of these must be set.
    $header = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
    // Test to make sure the pattern matches expected.
    if (!preg_match('%^Basic [a-z\d/+]*={0,2}$%i', $header)) {
        return;
    }
    // Removing `Basic ` the token would start six characters in.
    $token = substr($header, 6);
    $userpass = base64_decode($token);
    // There must be at least one colon in the string.
    if (!str_contains($userpass, ':')) {
        return;
    }
    list($user, $pass) = explode(':', $userpass, 2);
    // Now shove them in the proper keys where we're expecting later on.
    $_SERVER['PHP_AUTH_USER'] = $user;
    $_SERVER['PHP_AUTH_PW'] = $pass;
}

WordPress Version: 5.6

/**
 * Populates the Basic Auth server details from the Authorization header.
 *
 * Some servers running in CGI or FastCGI mode don't pass the Authorization
 * header on to WordPress.  If it's been rewritten to the `HTTP_AUTHORIZATION` header,
 * fill in the proper $_SERVER variables instead.
 *
 * @since 5.6.0
 */
function wp_populate_basic_auth_from_authorization_header()
{
    // If we don't have anything to pull from, return early.
    if (!isset($_SERVER['HTTP_AUTHORIZATION']) && !isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
        return;
    }
    // If either PHP_AUTH key is already set, do nothing.
    if (isset($_SERVER['PHP_AUTH_USER']) || isset($_SERVER['PHP_AUTH_PW'])) {
        return;
    }
    // From our prior conditional, one of these must be set.
    $header = isset($_SERVER['HTTP_AUTHORIZATION']) ? $_SERVER['HTTP_AUTHORIZATION'] : $_SERVER['REDIRECT_HTTP_AUTHORIZATION'];
    // Test to make sure the pattern matches expected.
    if (!preg_match('%^Basic [a-z\d/+]*={0,2}$%i', $header)) {
        return;
    }
    // Removing `Basic ` the token would start six characters in.
    $token = substr($header, 6);
    $userpass = base64_decode($token);
    list($user, $pass) = explode(':', $userpass);
    // Now shove them in the proper keys where we're expecting later on.
    $_SERVER['PHP_AUTH_USER'] = $user;
    $_SERVER['PHP_AUTH_PW'] = $pass;
}