From 43430207ebbb6166e22bbc0ccb147c83c9912ac3 Mon Sep 17 00:00:00 2001 From: "Dominik Schilling (ocean90)" Date: Wed, 30 Mar 2016 14:48:54 +0000 Subject: [PATCH] Multisite: Validate new email address confirmations. Merge of [37103] to the 4.4 branch. git-svn-id: https://develop.svn.wordpress.org/branches/4.4@37104 602fd350-edb4-49c9-b593-d223f7449a82 --- src/wp-admin/user-edit.php | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/wp-admin/user-edit.php b/src/wp-admin/user-edit.php index 88d4657bba..4deb6bff7f 100644 --- a/src/wp-admin/user-edit.php +++ b/src/wp-admin/user-edit.php @@ -83,7 +83,7 @@ if ( is_multisite() // Execute confirmed email change. See send_confirmation_on_profile_email(). if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $current_user->ID ) { $new_email = get_option( $current_user->ID . '_new_email' ); - if ( $new_email[ 'hash' ] == $_GET[ 'newuseremail' ] ) { + if ( $new_email && hash_equals( $new_email[ 'hash' ], $_GET[ 'newuseremail' ] ) ) { $user = new stdClass; $user->ID = $current_user->ID; $user->user_email = esc_html( trim( $new_email[ 'newemail' ] ) ); @@ -94,7 +94,8 @@ if ( is_multisite() && IS_PROFILE_PAGE && isset( $_GET[ 'newuseremail' ] ) && $c wp_redirect( add_query_arg( array('updated' => 'true'), self_admin_url( 'profile.php' ) ) ); die(); } -} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' == $_GET['dismiss'] ) { +} elseif ( is_multisite() && IS_PROFILE_PAGE && !empty( $_GET['dismiss'] ) && $current_user->ID . '_new_email' === $_GET['dismiss'] ) { + check_admin_referer( 'dismiss-' . $current_user->ID . '_new_email' ); delete_option( $current_user->ID . '_new_email' ); wp_redirect( add_query_arg( array('updated' => 'true'), self_admin_url( 'profile.php' ) ) ); die(); @@ -389,8 +390,8 @@ if ( is_multisite() && is_network_admin() && ! IS_PROFILE_PAGE && current_user_c

Cancel' ), - '' . $new_email['newemail'] . '', - esc_url( self_admin_url( 'profile.php?dismiss=' . $current_user->ID . '_new_email' ) ) + '' . esc_html( $new_email['newemail'] ) . '', + esc_url( wp_nonce_url( self_admin_url( 'profile.php?dismiss=' . $current_user->ID . '_new_email' ), 'dismiss-' . $current_user->ID . '_new_email' ) ) ); ?>