WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
04/13/2018 03:29:52 PM (7 years ago)
Author:
flixos90
Message:

Multisite: Verify the signup nonce using wp_verify_nonce() in signup_nonce_check().

Prior to this change, the nonce passed from wp-signup.php was verified with a simple comparison. Furthermore in case of failures, wp_die() would be called right during the HTML markup being already printed. Now the error message is returned properly, modifying the WP_Error object in the passed $result.

Props herregroen.
Fixes #43667.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php

    r42343 r42976  
    127127            return $this->minimum_site_name_length;
    128128        }
     129
     130        /**
     131         * @ticket 43667
     132         */
     133        public function test_signup_nonce_check() {
     134            $original_php_self       = $_SERVER['PHP_SELF'];
     135            $_SERVER['PHP_SELF']     = '/wp-signup.php';
     136            $_POST['signup_form_id'] = 'blog-signup-form';
     137            $_POST['_signup_form']   = wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] );
     138
     139            $valid               = wpmu_validate_blog_signup( 'my-nonce-site', 'Site Title', get_userdata( self::$super_admin_id ) );
     140            $_SERVER['PHP_SELF'] = $original_php_self;
     141
     142            $this->assertNotContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
     143        }
     144
     145        /**
     146         * @ticket 43667
     147         */
     148        public function test_signup_nonce_check_invalid() {
     149            $original_php_self       = $_SERVER['PHP_SELF'];
     150            $_SERVER['PHP_SELF']     = '/wp-signup.php';
     151            $_POST['signup_form_id'] = 'blog-signup-form';
     152            $_POST['_signup_form']   = wp_create_nonce( 'invalid' );
     153
     154            $valid               = wpmu_validate_blog_signup( 'my-nonce-site', 'Site Title', get_userdata( self::$super_admin_id ) );
     155            $_SERVER['PHP_SELF'] = $original_php_self;
     156
     157            $this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
     158        }
    129159    }
    130160
Note: See TracChangeset for help on using the changeset viewer.