From 63eda3b3a4c1f98285e598613fdaa95a81444936 Mon Sep 17 00:00:00 2001
From: Felix Arntz <flixos90@git.wordpress.org>
Date: Fri, 13 Apr 2018 15:29:52 +0000
Subject: [PATCH] Multisite: Verify the signup nonce using `wp_verify_nonce()`
 in `signup_nonce_check()`.

Prior to this change, the nonce passed from `wp-signup.php` was verified with a simple comparison. Furthermore in case of failures, `wp_die()` would be called right during the HTML markup being already printed. Now the error message is returned properly, modifying the `WP_Error` object in the passed `$result`.

Props herregroen.
Fixes #43667.


git-svn-id: https://develop.svn.wordpress.org/trunk@42976 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/ms-functions.php              |  4 +--
 .../multisite/wpmuValidateBlogSignup.php      | 30 +++++++++++++++++++
 .../multisite/wpmuValidateUserSignup.php      | 30 +++++++++++++++++++
 3 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/src/wp-includes/ms-functions.php b/src/wp-includes/ms-functions.php
index ebc699436d..f2dbbc750f 100644
--- a/src/wp-includes/ms-functions.php
+++ b/src/wp-includes/ms-functions.php
@@ -2193,8 +2193,8 @@ function signup_nonce_check( $result ) {
 		return $result;
 	}
 
-	if ( wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] ) != $_POST['_signup_form'] ) {
-		wp_die( __( 'Please try again.' ) );
+	if ( ! wp_verify_nonce( $_POST['_signup_form'], 'signup_form_' . $_POST['signup_form_id'] ) ) {
+		$result['errors']->add( 'invalid_nonce', __( 'Unable to submit this form, please try again.' ) );
 	}
 
 	return $result;
diff --git a/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php b/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php
index 0ca778acc3..892fd521da 100644
--- a/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php
+++ b/tests/phpunit/tests/multisite/wpmuValidateBlogSignup.php
@@ -126,6 +126,36 @@ if ( is_multisite() ) :
 		public function filter_minimum_site_name_length() {
 			return $this->minimum_site_name_length;
 		}
+
+		/**
+		 * @ticket 43667
+		 */
+		public function test_signup_nonce_check() {
+			$original_php_self       = $_SERVER['PHP_SELF'];
+			$_SERVER['PHP_SELF']     = '/wp-signup.php';
+			$_POST['signup_form_id'] = 'blog-signup-form';
+			$_POST['_signup_form']   = wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] );
+
+			$valid               = wpmu_validate_blog_signup( 'my-nonce-site', 'Site Title', get_userdata( self::$super_admin_id ) );
+			$_SERVER['PHP_SELF'] = $original_php_self;
+
+			$this->assertNotContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+		}
+
+		/**
+		 * @ticket 43667
+		 */
+		public function test_signup_nonce_check_invalid() {
+			$original_php_self       = $_SERVER['PHP_SELF'];
+			$_SERVER['PHP_SELF']     = '/wp-signup.php';
+			$_POST['signup_form_id'] = 'blog-signup-form';
+			$_POST['_signup_form']   = wp_create_nonce( 'invalid' );
+
+			$valid               = wpmu_validate_blog_signup( 'my-nonce-site', 'Site Title', get_userdata( self::$super_admin_id ) );
+			$_SERVER['PHP_SELF'] = $original_php_self;
+
+			$this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+		}
 	}
 
 endif;
diff --git a/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php b/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
index d9d3e71e2b..15ab87a0ec 100644
--- a/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
+++ b/tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
@@ -165,6 +165,36 @@ if ( is_multisite() ) :
 
 			$this->assertNotContains( 'user_email', $valid['errors']->get_error_codes() );
 		}
+
+		/**
+		 * @ticket 43667
+		 */
+		public function test_signup_nonce_check() {
+			$original_php_self       = $_SERVER['PHP_SELF'];
+			$_SERVER['PHP_SELF']     = '/wp-signup.php';
+			$_POST['signup_form_id'] = 'user-signup-form';
+			$_POST['_signup_form']   = wp_create_nonce( 'signup_form_' . $_POST['signup_form_id'] );
+
+			$valid               = wpmu_validate_user_signup( 'validusername', 'email@example.com' );
+			$_SERVER['PHP_SELF'] = $original_php_self;
+
+			$this->assertNotContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+		}
+
+		/**
+		 * @ticket 43667
+		 */
+		public function test_signup_nonce_check_invalid() {
+			$original_php_self       = $_SERVER['PHP_SELF'];
+			$_SERVER['PHP_SELF']     = '/wp-signup.php';
+			$_POST['signup_form_id'] = 'user-signup-form';
+			$_POST['_signup_form']   = wp_create_nonce( 'invalid' );
+
+			$valid               = wpmu_validate_user_signup( 'validusername', 'email@example.com' );
+			$_SERVER['PHP_SELF'] = $original_php_self;
+
+			$this->assertContains( 'invalid_nonce', $valid['errors']->get_error_codes() );
+		}
 	}
 
 endif;