WordPress.org

Make WordPress Core

Changeset 42976


Ignore:
Timestamp:
04/13/2018 03:29:52 PM (3 years ago)
Author:
flixos90
Message:

Multisite: Verify the signup nonce using wp_verify_nonce() in signup_nonce_check().

Prior to this change, the nonce passed from wp-signup.php was verified with a simple comparison. Furthermore in case of failures, wp_die() would be called right during the HTML markup being already printed. Now the error message is returned properly, modifying the WP_Error object in the passed $result.

Props herregroen.
Fixes #43667.

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/ms-functions.php

    r42866 r42976  
    21942194    }
    21952195
    2196     if ( wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] ) != $_POST['_signup_form'] ) {
    2197         wp_die( __( 'Please try again.' ) );
     2196    if ( ! wp_verify_nonce( $_POST['_signup_form'], 'signup_form_' . $_POST['signup_form_id'] ) ) {
     2197        $result['errors']->add( 'invalid_nonce', __( 'Unable to submit this form, please try again.' ) );
    21982198    }
    21992199
  • trunk/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php

    r42343 r42976  
    127127            return $this->minimum_site_name_length;
    128128        }
     129
     130        /**
     131         * @ticket 43667
     132         */
     133        public function test_signup_nonce_check() {
     134            $original_php_self       = $_SERVER['PHP_SELF'];
     135            $_SERVER['PHP_SELF']     = '/wp-signup.php';
     136            $_POST['signup_form_id'] = 'blog-signup-form';
     137            $_POST['_signup_form']   = wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] );
     138
     139            $valid               = wpmu_validate_blog_signup( 'my-nonce-site', 'Site Title', get_userdata( self::$super_admin_id ) );
     140            $_SERVER['PHP_SELF'] = $original_php_self;
     141
     142            $this->assertNotContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
     143        }
     144
     145        /**
     146         * @ticket 43667
     147         */
     148        public function test_signup_nonce_check_invalid() {
     149            $original_php_self       = $_SERVER['PHP_SELF'];
     150            $_SERVER['PHP_SELF']     = '/wp-signup.php';
     151            $_POST['signup_form_id'] = 'blog-signup-form';
     152            $_POST['_signup_form']   = wp_create_nonce( 'invalid' );
     153
     154            $valid               = wpmu_validate_blog_signup( 'my-nonce-site', 'Site Title', get_userdata( self::$super_admin_id ) );
     155            $_SERVER['PHP_SELF'] = $original_php_self;
     156
     157            $this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
     158        }
    129159    }
    130160
  • trunk/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php

    r42858 r42976  
    166166            $this->assertNotContains( 'user_email', $valid['errors']->get_error_codes() );
    167167        }
     168
     169        /**
     170         * @ticket 43667
     171         */
     172        public function test_signup_nonce_check() {
     173            $original_php_self       = $_SERVER['PHP_SELF'];
     174            $_SERVER['PHP_SELF']     = '/wp-signup.php';
     175            $_POST['signup_form_id'] = 'user-signup-form';
     176            $_POST['_signup_form']   = wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] );
     177
     178            $valid               = wpmu_validate_user_signup( 'validusername', 'email@example.com' );
     179            $_SERVER['PHP_SELF'] = $original_php_self;
     180
     181            $this->assertNotContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
     182        }
     183
     184        /**
     185         * @ticket 43667
     186         */
     187        public function test_signup_nonce_check_invalid() {
     188            $original_php_self       = $_SERVER['PHP_SELF'];
     189            $_SERVER['PHP_SELF']     = '/wp-signup.php';
     190            $_POST['signup_form_id'] = 'user-signup-form';
     191            $_POST['_signup_form']   = wp_create_nonce( 'invalid' );
     192
     193            $valid               = wpmu_validate_user_signup( 'validusername', 'email@example.com' );
     194            $_SERVER['PHP_SELF'] = $original_php_self;
     195
     196            $this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
     197        }
    168198    }
    169199
Note: See TracChangeset for help on using the changeset viewer.