[wp-trac] [WordPress Trac] #43667: signup_nonce_check does not use wp_verify_nonce.

WordPress Trac noreply at wordpress.org
Tue Apr 10 07:57:54 UTC 2018 

#43667: signup_nonce_check does not use wp_verify_nonce.
-------------------------------------+------------------------
 Reporter:  herregroen               |       Owner:  flixos90
     Type:  defect (bug)             |      Status:  reviewing
 Priority:  normal                   |   Milestone:  5.0
Component:  Login and Registration   |     Version:  trunk
 Severity:  normal                   |  Resolution:
 Keywords:  has-patch needs-refresh  |     Focuses:  multisite
-------------------------------------+------------------------

Comment (by herregroen):

 Replying to [comment:5 flixos90]:
 > Some thoughts:
 >
 > * Do we need to add the link to the registration form? When clicking
 that, the user will have to re-enter their data. Without a link present,
 the user would likely hit the browser's back button, still having their
 data present.
 > * It's clear that the above isn't user-friendly in either case. I just
 noticed that when this error happens, the `wp_die()` is executed ''in''
 the HTML content, causing ridiculously invalid markup. Since the method is
 hooked into the `wpmu_validate_blog_signup` and
 `wpmu_validate_user_signup` filters, both of which pass a `$result` array
 containing an `errors` key which is a `WP_Error` object, I think we should
 instead add that message to that `WP_Error` instance. This should cause it
 to be printed out in the content correctly, and the process will still
 fail. In that case, of course a link is no longer necessary anyway.
 >
 > While the issue described under the second point is not caused by this
 patch, I think while we fix this one issue, we might as well fix the other
 as it's clearly broken.

 I added the link explicitly to avoid that behaviour. If the user goes back
 all his information is indeed still filled in, including the faulty nonce
 inside a hidden input. Meaning the same error will just occur regardless.

 That said, I agree that simply returning an error is clearly the desired
 option. I'll update the patch to add an error instead. On error the signup
 form is output again in any case, including a new nonce, so the above is
 moot.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/43667#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list