[wp-trac] [WordPress Trac] #44901: Die earlier if confirm_key missing, no need to execute wp_validate_user_request_key
WordPress Trac
noreply at wordpress.org
Wed Sep 5 21:16:22 UTC 2018
#44901: Die earlier if confirm_key missing, no need to execute
wp_validate_user_request_key
-----------------------------+-----------------------------
Reporter: garrett-eclipse | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Privacy | Version: 4.9.6
Severity: normal | Keywords:
Focuses: |
-----------------------------+-----------------------------
In the 'confirmaction' case found in wp-login.php if confirm_key is
missing from the request it fails but not before running all the tests in
wp_validate_user_request_key. We can modify the codeblock to check the
confirm_key right away and die.
Code I'm referring to;
https://github.com/WordPress/WordPress/blob/c952f8f98f5b34210c0bf16033c935408ac1a64e
/wp-login.php#L867-L882
Suggested update moving the wp_die for the confirm_key check to the top;
{{{#!php
<?php
if ( ! isset( $_GET['request_id'] ) ) {
wp_die( __( 'Invalid request.' ) );
}
if ( ! isset( $_GET['confirm_key'] ) ) {
wp_die( __( 'Missing Confirm Key.' ) );
}
$request_id = (int) $_GET['request_id'];
$key = sanitize_text_field( wp_unslash( $_GET['confirm_key'] ) );
$result = wp_validate_user_request_key( $request_id, $key );
if ( is_wp_error( $result ) ) {
wp_die( $result );
}
}}}
Cheers
--
Ticket URL: <https://core.trac.wordpress.org/ticket/44901>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list