WordPress.org

Make WordPress Core


Ignore:
Timestamp:
04/13/2018 03:29:52 PM (17 months ago)
Author:
flixos90
Message:

Multisite: Verify the signup nonce using wp_verify_nonce() in signup_nonce_check().

Prior to this change, the nonce passed from wp-signup.php was verified with a simple comparison. Furthermore in case of failures, wp_die() would be called right during the HTML markup being already printed. Now the error message is returned properly, modifying the WP_Error object in the passed $result.

Props herregroen.
Fixes #43667.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/ms-functions.php

    r42866 r42976  
    21942194    }
    21952195
    2196     if ( wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] ) != $_POST['_signup_form'] ) {
    2197         wp_die( __( 'Please try again.' ) );
     2196    if ( ! wp_verify_nonce( $_POST['_signup_form'], 'signup_form_' . $_POST['signup_form_id'] ) ) {
     2197        $result['errors']->add( 'invalid_nonce', __( 'Unable to submit this form, please try again.' ) );
    21982198    }
    21992199
Note: See TracChangeset for help on using the changeset viewer.