Ticket #43667: 43667.diff

src/wp-includes/ms-functions.php

@@ -2193 +2193 @@
                 return $result;
         }
 
-        if ( wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] ) != $_POST['_signup_form'] ) {
-                wp_die( __( 'Please try again.' ) );
+        if ( ! wp_verify_nonce( $_POST['_signup_form'], 'signup_form_' . $_POST['signup_form_id'] ) ) {
+                $result['errors']->add( 'invalid_nonce', __( 'Unable to submit this form, please try again.' ) );
         }
 
         return $result;

tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php

@@ -126 +126 @@
                 public function filter_minimum_site_name_length() {
                         return $this->minimum_site_name_length;
                 }
+
+                /**
+                 * @ticket 43667
+                 */
+                public function test_signup_nonce_check() {
+                        $original_php_self       = $_SERVER['PHP_SELF'];
+                        $_SERVER['PHP_SELF']     = '/wp-signup.php';
+                        $_POST['signup_form_id'] = 'blog-signup-form';
+                        $_POST['_signup_form']   = wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] );
+
+                        $valid               = wpmu_validate_blog_signup( 'my-nonce-site', 'Site Title', get_userdata( self::$super_admin_id ) );
+                        $_SERVER['PHP_SELF'] = $original_php_self;
+
+                        $this->assertNotContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+                }
+
+                /**
+                 * @ticket 43667
+                 */
+                public function test_signup_nonce_check_invalid() {
+                        $original_php_self       = $_SERVER['PHP_SELF'];
+                        $_SERVER['PHP_SELF']     = '/wp-signup.php';
+                        $_POST['signup_form_id'] = 'blog-signup-form';
+                        $_POST['_signup_form']   = wp_create_nonce( 'invalid' );
+
+                        $valid               = wpmu_validate_blog_signup( 'my-nonce-site', 'Site Title', get_userdata( self::$super_admin_id ) );
+                        $_SERVER['PHP_SELF'] = $original_php_self;
+
+                        $this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+                }
         }
 
 endif;

tests/phpunit/tests/multisite/wpmuValidateUserSignup.php

@@ -165 +165 @@
 
                         $this->assertNotContains( 'user_email', $valid['errors']->get_error_codes() );
                 }
+
+                /**
+                 * @ticket 43667
+                 */
+                public function test_signup_nonce_check() {
+                        $original_php_self       = $_SERVER['PHP_SELF'];
+                        $_SERVER['PHP_SELF']     = '/wp-signup.php';
+                        $_POST['signup_form_id'] = 'user-signup-form';
+                        $_POST['_signup_form']   = wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] );
+
+                        $valid               = wpmu_validate_user_signup( 'validusername', 'email@example.com' );
+                        $_SERVER['PHP_SELF'] = $original_php_self;
+
+                        $this->assertNotContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+                }
+
+                /**
+                 * @ticket 43667
+                 */
+                public function test_signup_nonce_check_invalid() {
+                        $original_php_self       = $_SERVER['PHP_SELF'];
+                        $_SERVER['PHP_SELF']     = '/wp-signup.php';
+                        $_POST['signup_form_id'] = 'user-signup-form';
+                        $_POST['_signup_form']   = wp_create_nonce( 'invalid' );
+
+                        $valid               = wpmu_validate_user_signup( 'validusername', 'email@example.com' );
+                        $_SERVER['PHP_SELF'] = $original_php_self;
+
+                        $this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+                }
         }
 
 endif;