WordPress.org
Get WordPress

Make WordPress Core


Ignore:
Timestamp:
04/13/2018 03:29:52 PM (7 years ago)
Author:
flixos90
Message:

Multisite: Verify the signup nonce using wp_verify_nonce() in signup_nonce_check().

Prior to this change, the nonce passed from wp-signup.php was verified with a simple comparison. Furthermore in case of failures, wp_die() would be called right during the HTML markup being already printed. Now the error message is returned properly, modifying the WP_Error object in the passed $result.

Props herregroen.
Fixes #43667.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php

    r42858 r42976  
    166166            $this->assertNotContains( 'user_email', $valid['errors']->get_error_codes() );
    167167        }
     168
     169        /**
     170         * @ticket 43667
     171         */
     172        public function test_signup_nonce_check() {
     173            $original_php_self       = $_SERVER['PHP_SELF'];
     174            $_SERVER['PHP_SELF']     = '/wp-signup.php';
     175            $_POST['signup_form_id'] = 'user-signup-form';
     176            $_POST['_signup_form']   = wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] );
     177
     178            $valid               = wpmu_validate_user_signup( 'validusername', 'email@example.com' );
     179            $_SERVER['PHP_SELF'] = $original_php_self;
     180
     181            $this->assertNotContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
     182        }
     183
     184        /**
     185         * @ticket 43667
     186         */
     187        public function test_signup_nonce_check_invalid() {
     188            $original_php_self       = $_SERVER['PHP_SELF'];
     189            $_SERVER['PHP_SELF']     = '/wp-signup.php';
     190            $_POST['signup_form_id'] = 'user-signup-form';
     191            $_POST['_signup_form']   = wp_create_nonce( 'invalid' );
     192
     193            $valid               = wpmu_validate_user_signup( 'validusername', 'email@example.com' );
     194            $_SERVER['PHP_SELF'] = $original_php_self;
     195
     196            $this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
     197        }
    168198    }
    169199
Note: See TracChangeset for help on using the changeset viewer.