Skip to content

Commit

Permalink
Return error if nonce doesn't match
Browse files Browse the repository at this point in the history 
An invalid nonce should never reach the identity_url checking code, which
allows a user to login.
  • Loading branch information
@fuzzie
fuzzie committed Jul 18, 2016
1 parent c664ff5 commit f705e8e
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions login.php
View file
Expand Up @@ -37,6 +37,7 @@ function openid_authenticate($user) {


if ( !wp_verify_nonce($_REQUEST['_wpnonce'], 'openid_login_' . md5($identity_url)) ) { if ( !wp_verify_nonce($_REQUEST['_wpnonce'], 'openid_login_' . md5($identity_url)) ) {
$user = new WP_Error('openid_login_error', __('Error during OpenID authentication. Please try again. (invalid nonce)', 'openid')); $user = new WP_Error('openid_login_error', __('Error during OpenID authentication. Please try again. (invalid nonce)', 'openid'));
return $user;
} }


if ( $identity_url ) { if ( $identity_url ) {
Expand Down

0 comments on commit f705e8e

Please sign in to comment.