Multisite: Verify the signup nonce using wp_verify_nonce() in signup_nonce_check().

Prior to this change, the nonce passed from `wp-signup.php` was verified with a simple comparison. Furthermore in case of failures, `wp_die()` would be called right during the HTML markup being already printed. Now the error message is returned properly, modifying the `WP_Error` object in the passed `$result`. Props herregroen. Fixes #43667. git-svn-id: https://develop.svn.wordpress.org/trunk@42976 602fd350-edb4-49c9-b593-d223f7449a82
2018-04-13 15:29:52 +00:00 · 2018-04-13 15:29:52 +00:00 · 63eda3b3a4
commit 63eda3b3a4
parent 2468899f38
3 changed files with 62 additions and 2 deletions
--- a/src/wp-includes/ms-functions.php
+++ b/src/wp-includes/ms-functions.php
@ -2193,8 +2193,8 @@ function signup_nonce_check( $result ) {
 		return $result;
 	}

-	if ( wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] ) != $_POST['_signup_form'] ) {
-		wp_die( __( 'Please try again.' ) );
+	if ( ! wp_verify_nonce( $_POST['_signup_form'], 'signup_form_' . $_POST['signup_form_id'] ) ) {
+		$result['errors']->add( 'invalid_nonce', __( 'Unable to submit this form, please try again.' ) );
 	}

 	return $result;
--- a/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php
+++ b/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php
@ -126,6 +126,36 @@ if ( is_multisite() ) :
 		public function filter_minimum_site_name_length() {
 			return $this->minimum_site_name_length;
 		}
+
+		/**
+		 * @ticket 43667
+		 */
+		public function test_signup_nonce_check() {
+			$original_php_self       = $_SERVER['PHP_SELF'];
+			$_SERVER['PHP_SELF']     = '/wp-signup.php';
+			$_POST['signup_form_id'] = 'blog-signup-form';
+			$_POST['_signup_form']   = wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] );
+
+			$valid               = wpmu_validate_blog_signup( 'my-nonce-site', 'Site Title', get_userdata( self::$super_admin_id ) );
+			$_SERVER['PHP_SELF'] = $original_php_self;
+
+			$this->assertNotContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+		}
+
+		/**
+		 * @ticket 43667
+		 */
+		public function test_signup_nonce_check_invalid() {
+			$original_php_self       = $_SERVER['PHP_SELF'];
+			$_SERVER['PHP_SELF']     = '/wp-signup.php';
+			$_POST['signup_form_id'] = 'blog-signup-form';
+			$_POST['_signup_form']   = wp_create_nonce( 'invalid' );
+
+			$valid               = wpmu_validate_blog_signup( 'my-nonce-site', 'Site Title', get_userdata( self::$super_admin_id ) );
+			$_SERVER['PHP_SELF'] = $original_php_self;
+
+			$this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+		}
 	}

 endif;
--- a/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
+++ b/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
@ -165,6 +165,36 @@ if ( is_multisite() ) :

 			$this->assertNotContains( 'user_email', $valid['errors']->get_error_codes() );
 		}
+
+		/**
+		 * @ticket 43667
+		 */
+		public function test_signup_nonce_check() {
+			$original_php_self       = $_SERVER['PHP_SELF'];
+			$_SERVER['PHP_SELF']     = '/wp-signup.php';
+			$_POST['signup_form_id'] = 'user-signup-form';
+			$_POST['_signup_form']   = wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] );
+
+			$valid               = wpmu_validate_user_signup( 'validusername', 'email@example.com' );
+			$_SERVER['PHP_SELF'] = $original_php_self;
+
+			$this->assertNotContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+		}
+
+		/**
+		 * @ticket 43667
+		 */
+		public function test_signup_nonce_check_invalid() {
+			$original_php_self       = $_SERVER['PHP_SELF'];
+			$_SERVER['PHP_SELF']     = '/wp-signup.php';
+			$_POST['signup_form_id'] = 'user-signup-form';
+			$_POST['_signup_form']   = wp_create_nonce( 'invalid' );
+
+			$valid               = wpmu_validate_user_signup( 'validusername', 'email@example.com' );
+			$_SERVER['PHP_SELF'] = $original_php_self;
+
+			$this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+		}
 	}

 endif;