Changeset 42976 for trunk/src/wp-includes/ms-functions.php

Timestamp:

04/13/2018 03:29:52 PM (7 years ago)

Author:

flixos90

Message:

Multisite: Verify the signup nonce using wp_verify_nonce() in signup_nonce_check().

Prior to this change, the nonce passed from wp-signup.php was verified with a simple comparison. Furthermore in case of failures, wp_die() would be called right during the HTML markup being already printed. Now the error message is returned properly, modifying the WP_Error object in the passed $result.

Props herregroen.
Fixes #43667.

File:

• trunk/src/wp-includes/ms-functions.php (modified) (1 diff)

trunk/src/wp-includes/ms-functions.php

@@ -2194 +2194 @@
     }
 
-    if ( wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] ) != $_POST['_signup_form'] ) {
-        wp_die( __( 'Please try again.' ) );
+    if ( ! wp_verify_nonce( $_POST['_signup_form'], 'signup_form_' . $_POST['signup_form_id'] ) ) {
+        $result['errors']->add( 'invalid_nonce', __( 'Unable to submit this form, please try again.' ) );
     }