Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added form nonce with arguments
This fixes a security issue where arguments could be edited client-side.
  • Loading branch information
fabianlindfors committed Jun 26, 2020
1 parent acbc699 commit 2ce3ab6
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 6 deletions.
17 changes: 12 additions & 5 deletions core/forms/forms-rendering.php
Expand Up @@ -298,13 +298,20 @@ function render_fields( $form, $args ) {
// Hidden fields to identify form
echo '<div class="acf-hidden">';

$nonce = wp_create_nonce( 'acf_nonce' );
echo sprintf( '<input type="hidden" name="_acfnonce" value="%s">', $nonce );
echo sprintf( '<input type="hidden" name="nonce" value="%s">', $nonce );
$acf_nonce = wp_create_nonce( 'acf_nonce' );
echo sprintf( '<input type="hidden" name="_acfnonce" value="%s">', $acf_nonce );
echo sprintf( '<input type="hidden" name="nonce" value="%s">', $acf_nonce );

echo sprintf( '<input type="hidden" name="af_form" value="%s">', $form['key'] );
echo sprintf( '<input type="hidden" name="af_form_args" value="%s">', base64_encode( json_encode( $args ) ) );
echo sprintf( '<input type="hidden" name="_acf_form" value="%s">', base64_encode( json_encode( $args ) ) );

$encoded_args = base64_encode( json_encode( $args ) );
echo sprintf( '<input type="hidden" name="af_form_args" value="%s">', $encoded_args );
echo sprintf( '<input type="hidden" name="_acf_form" value="%s">', $encoded_args );

// Add nonce to ensure arguments can't be altered.
$hashed_args = hash( 'sha256', $encoded_args );
$nonce = wp_create_nonce( sprintf( 'af_submission_%s_%s', $form['key'], $hashed_args ) );
echo sprintf( '<input type="hidden" name="af_form_nonce" value="%s">', $nonce );

// Add honeypot field that is not visible to users.
// Bots should hopefully fill this in allowing them to be detected.
Expand Down
12 changes: 11 additions & 1 deletion core/forms/forms-submissions.php
Expand Up @@ -173,7 +173,17 @@ function create_submission() {
}

// Retrieve the args used to display the form
$args = json_decode( base64_decode( $_POST['af_form_args'] ), true );
$encoded_args = $_POST['af_form_args'];
$args = json_decode( base64_decode( $encoded_args ), true );

// Verify nonce
$nonce = $_POST['af_form_nonce'];
$hashed_args = hash( 'sha256', $encoded_args );
$nonce_value = sprintf( 'af_submission_%s_%s', $form['key'], $hashed_args );
if ( ! wp_verify_nonce( $nonce, $nonce_value ) ) {
wp_die( 'Invalid form nonce' );
exit;
}

// Retrieve all form fields and their values
$fields = array();
Expand Down

0 comments on commit 2ce3ab6

Please sign in to comment.