Changeset 10317

Timestamp:

09/29/2020 07:12:30 AM (5 years ago)

Author:

dd32

Message:

SSO: Remote Login: Don't add nonces to the redirect location if the user didn't successfully authenticate yet.

This didn't allow an auth bypass as the modified url wasn't being used/exposed as no redirect was occuring.

File:

• sites/trunk/common/includes/wporg-sso/wp-plugin.php (modified) (1 diff)

sites/trunk/common/includes/wporg-sso/wp-plugin.php

@@ -442 +442 @@
 
         protected function _maybe_add_remote_login_bounce( $redirect, $user = false ) {
+            // Authentication failed, don't need to add the login nonces yet.
+            if ( is_wp_error( $user ) ) {
+                return $redirect;
+            }
+
             if ( ! $user ) {
                 $user = wp_get_current_user();