From f705e8e325ac6ed967f5cd589e37eb9f9aa8e02e Mon Sep 17 00:00:00 2001
From: Alyssa Milburn <fuzzie@fuzzie.org>
Date: Mon, 18 Jul 2016 15:31:11 +0200
Subject: [PATCH] Return error if nonce doesn't match

An invalid nonce should never reach the identity_url checking code, which
allows a user to login.
---
 login.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/login.php b/login.php
index ee4da24..c0b95a1 100644
--- a/login.php
+++ b/login.php
@@ -37,6 +37,7 @@ function openid_authenticate($user) {
 
 		if ( !wp_verify_nonce($_REQUEST['_wpnonce'], 'openid_login_' . md5($identity_url)) ) {
 			$user = new WP_Error('openid_login_error', __('Error during OpenID authentication.  Please try again. (invalid nonce)', 'openid'));
+			return $user;
 		}
 
 		if ( $identity_url ) {