#831 Fix nonce verification in 2FA flow #833
+68
−24
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -452,7 +452,7 @@ public static function get_user_two_factor_revalidate_url( $interim = false ) { | |||||
| * @return boolean | ||||||
| */ | ||||||
| public static function is_valid_user_action( $user_id, $action ) { | ||||||
| $request_nonce = isset( $_REQUEST[ self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG ] ) ? wp_unslash( $_REQUEST[ self::USER_SETTINGS_ACTION_NONCE_QUERY_ARG ] ) : ''; // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Value only passed to wp_verify_nonce(). | ||||||
|
|
||||||
| if ( ! $user_id || ! $action || ! $request_nonce ) { | ||||||
| return false; | ||||||
|
|
@@ -473,8 +473,8 @@ public static function is_valid_user_action( $user_id, $action ) { | |||||
| */ | ||||||
| public static function current_user_being_edited() { | ||||||
| // Try to resolve the user ID from the request first. | ||||||
| if ( ! empty( $_REQUEST['user_id'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verified in trigger_user_settings_action() via is_valid_user_action() before any state change. | ||||||
| $user_id = intval( $_REQUEST['user_id'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verified in trigger_user_settings_action() via is_valid_user_action() before any state change. | ||||||
|
|
||||||
| if ( current_user_can( 'edit_user', $user_id ) ) { | ||||||
| return $user_id; | ||||||
|
|
@@ -493,7 +493,7 @@ public static function current_user_being_edited() { | |||||
| * @return void | ||||||
| */ | ||||||
| public static function trigger_user_settings_action() { | ||||||
| $action = isset( $_REQUEST[ self::USER_SETTINGS_ACTION_QUERY_VAR ] ) ? wp_unslash( $_REQUEST[ self::USER_SETTINGS_ACTION_QUERY_VAR ] ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Nonce verified in is_valid_user_action() before do_action. | ||||||
| $user_id = self::current_user_being_edited(); | ||||||
|
|
||||||
| if ( self::is_valid_user_action( $user_id, $action ) ) { | ||||||
|
There was a problem hiding this comment.
|
||||||
|
|
@@ -906,7 +906,7 @@ public static function show_two_factor_login( $user ) { | |||||
| wp_die( esc_html__( 'Failed to create a login nonce.', 'two-factor' ) ); | ||||||
| } | ||||||
|
|
||||||
| $redirect_to = isset( $_REQUEST['redirect_to'] ) ? esc_url_raw( wp_unslash( $_REQUEST['redirect_to'] ) ) : admin_url(); // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Value only used for redirect; auth protected by 2FA login nonce later. | ||||||
|
|
||||||
|
PANawkar marked this conversation as resolved.
|
||||||
| self::login_html( $user, $login_nonce['key'], $redirect_to ); | ||||||
| } | ||||||
|
|
@@ -960,6 +960,12 @@ public static function maybe_show_reset_password_notice( $errors ) { | |||||
| return $errors; | ||||||
| } | ||||||
|
|
||||||
| // Verify login form nonce when present (e.g. wp-login.php); skip only when nonce is not sent (custom login forms). | ||||||
| if ( isset( $_POST['_wpnonce'] ) && ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'log-in' ) ) { | ||||||
| return $errors; | ||||||
| } | ||||||
|
PANawkar marked this conversation as resolved.
|
||||||
|
|
||||||
| // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce verified above when _wpnonce present; absent for custom login forms. | ||||||
| $user_name = sanitize_user( wp_unslash( $_POST['log'] ) ); | ||||||
| $attempted_user = get_user_by( 'login', $user_name ); | ||||||
| if ( ! $attempted_user && str_contains( $user_name, '@' ) ) { | ||||||
|
|
@@ -1487,11 +1493,11 @@ public static function rest_api_can_edit_user_and_update_two_factor_options( $us | |||||
| * @since 0.2.0 | ||||||
| */ | ||||||
| public static function login_form_validate_2fa() { | ||||||
| $wp_auth_id = ! empty( $_REQUEST['wp-auth-id'] ) ? absint( $_REQUEST['wp-auth-id'] ) : 0; // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verified in _login_form_validate_2fa() via verify_login_nonce() before any use. | ||||||
|
PANawkar marked this conversation as resolved.
|
||||||
| $nonce = ! empty( $_REQUEST['wp-auth-nonce'] ) ? wp_unslash( $_REQUEST['wp-auth-nonce'] ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Nonce verified in _login_form_validate_2fa() before any use. | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| $provider = ! empty( $_REQUEST['provider'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['provider'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verified in _login_form_validate_2fa() before any use. | ||||||
| $redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? esc_url_raw( wp_unslash( $_REQUEST['redirect_to'] ) ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verified in _login_form_validate_2fa() before any use. | ||||||
|
PANawkar marked this conversation as resolved.
|
||||||
| $is_post_request = isset( $_SERVER['REQUEST_METHOD'] ) && 'POST' === strtoupper( $_SERVER['REQUEST_METHOD'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- REQUEST_METHOD is not user input. | ||||||
| $user = get_user_by( 'id', $wp_auth_id ); | ||||||
|
|
||||||
| if ( ! $wp_auth_id || ! $nonce || ! $user ) { | ||||||
|
|
@@ -1553,7 +1559,7 @@ public static function _login_form_validate_2fa( $user, $nonce = '', $provider = | |||||
| delete_user_meta( $user->ID, self::USER_FAILED_LOGIN_ATTEMPTS_KEY ); | ||||||
|
|
||||||
| $rememberme = false; | ||||||
| if ( isset( $_REQUEST['rememberme'] ) && $_REQUEST['rememberme'] ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Request read only after successful verify_login_nonce() in this request. | ||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||
| $rememberme = true; | ||||||
| } | ||||||
|
|
||||||
|
|
@@ -1594,7 +1600,7 @@ public static function _login_form_validate_2fa( $user, $nonce = '', $provider = | |||||
| $interim_login = isset( $_REQUEST['interim-login'] ); // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited,WordPress.Security.NonceVerification.Recommended | ||||||
|
|
||||||
| if ( $interim_login ) { | ||||||
| $customize_login = isset( $_REQUEST['customize-login'] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Request read only after successful verify_login_nonce() in this request. | ||||||
| if ( $customize_login ) { | ||||||
| wp_enqueue_script( 'customize-base' ); | ||||||
| } | ||||||
|
|
@@ -1627,10 +1633,10 @@ public static function _login_form_validate_2fa( $user, $nonce = '', $provider = | |||||
| * @since 0.9.0 | ||||||
| */ | ||||||
| public static function login_form_revalidate_2fa() { | ||||||
| $nonce = ! empty( $_REQUEST['wp-auth-nonce'] ) ? wp_unslash( $_REQUEST['wp-auth-nonce'] ) : ''; // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Nonce verified in _login_form_revalidate_2fa() for POST before processing. | ||||||
| $provider = ! empty( $_REQUEST['provider'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['provider'] ) ) : false; // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verified in _login_form_revalidate_2fa() for POST before processing. | ||||||
| $redirect_to = ! empty( $_REQUEST['redirect_to'] ) ? esc_url_raw( wp_unslash( $_REQUEST['redirect_to'] ) ) : admin_url(); // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Nonce verified in _login_form_revalidate_2fa() for POST before processing. | ||||||
|
PANawkar marked this conversation as resolved.
|
||||||
| $is_post_request = isset( $_SERVER['REQUEST_METHOD'] ) && 'POST' === strtoupper( $_SERVER['REQUEST_METHOD'] ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.MissingUnslash, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- REQUEST_METHOD is not user input. | ||||||
|
|
||||||
| self::_login_form_revalidate_2fa( $nonce, $provider, $redirect_to, $is_post_request ); | ||||||
| exit; | ||||||
|
|
@@ -2386,7 +2392,7 @@ public static function get_current_user_session() { | |||||
| public static function rememberme() { | ||||||
| $rememberme = false; | ||||||
|
|
||||||
| if ( ! empty( $_REQUEST['rememberme'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Only used after 2FA login nonce verified by caller. | ||||||
| $rememberme = true; | ||||||
| } | ||||||
|
There was a problem hiding this comment. The phpcs ignore reason here says the value is only used after the 2FA login nonce is verified by the caller, but |
||||||
|
|
||||||
|
|
||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -171,11 +171,11 @@ public static function get_code( $length = 8, $chars = '1234567890' ) { | |||||
| * @return false|string Auth code on success, false if the field is not set or not expected length. | ||||||
| */ | ||||||
| public static function sanitize_code_from_request( $field, $length = 0 ) { | ||||||
| if ( empty( $_REQUEST[ $field ] ) ) { // phpcs:ignore WordPress.Security.NonceVerification.Recommended -- Caller (core) verifies nonce before provider processing. | ||||||
| return false; | ||||||
| } | ||||||
|
|
||||||
| $code = wp_unslash( $_REQUEST[ $field ] ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, WordPress.Security.ValidatedSanitizedInput.InputNotSanitized -- Caller (core) verifies nonce; value sanitized below. | ||||||
|
There was a problem hiding this comment. The phpcs ignore rationale says the request value is “sanitized below”, but this function only strips whitespace and (optionally) checks length; it still permits arbitrary characters (per existing unit tests). Please either adjust the ignore comment to match the actual behavior (e.g., “normalized”) or strengthen validation/sanitization if the intent is to accept only a restricted code format.
Suggested change
|
||||||
| $code = preg_replace( '/\s+/', '', $code ); | ||||||
|
|
||||||
| // Maybe validate the length. | ||||||
|
|
||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$request_noncecomes from$_REQUESTand may be an array (e.g....?arg[]=x), which can trigger notices or unexpected behavior when passed intowp_verify_nonce(). Consider guarding withis_scalar()/ casting to string and sanitizing (similar to the_wpnoncehandling elsewhere) before verifying.