Skip to content

Commit

Permalink
Merge pull request #382 from WordPress/fix/phpcs-followup
Browse files Browse the repository at this point in the history 
Ensure there are no blank spaces or line breaks around the token
  • Loading branch information
@kasparsd
kasparsd authored Aug 26, 2020
2 parents feb4708 + e200e0e commit 736473e
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 2 deletions.
7 changes: 5 additions & 2 deletions providers/class-two-factor-email.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -269,7 +269,7 @@ public function authentication_page( $user ) {
<p><?php esc_html_e( 'A verification code has been sent to the email address associated with your account.', 'two-factor' ); ?></p>
<p>
<label for="authcode"><?php esc_html_e( 'Verification Code:', 'two-factor' ); ?></label>
<input type="tel" name="two-factor-email-code" id="authcode" class="input" value="" size="20" pattern="[0-9]*" />
<input type="tel" name="two-factor-email-code" id="authcode" class="input" value="" size="20" />
<?php submit_button( __( 'Log In', 'two-factor' ) ); ?>
</p>
<p class="two-factor-email-resend">
Expand Down Expand Up @@ -317,7 +317,10 @@ public function validate_authentication( $user ) {
return false;
}

return $this->validate_token( $user->ID, $_REQUEST['two-factor-email-code'] );
// Ensure there are no spaces or line breaks around the code.
$code = trim( sanitize_text_field( $_REQUEST['two-factor-email-code'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already.

return $this->validate_token( $user->ID, $code );
}

/**
Expand Down
16 changes: 16 additions & 0 deletions tests/providers/class-two-factor-email.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,22 @@ public function test_validate_authentication() {
unset( $_REQUEST['two-factor-email-code'] );
}

/**
* Can strip away blank spaces and new line characters in code input.
*
* @covers Two_Factor_Email::validate_authentication
*/
public function test_validate_authentication_code_with_spaces() {
$user = new WP_User( $this->factory->user->create() );

$token = $this->provider->generate_token( $user->ID );
$_REQUEST['two-factor-email-code'] = sprintf( ' %s ', $token );

$this->assertTrue( $this->provider->validate_authentication( $user ) );

unset( $_REQUEST['two-factor-email-code'] );
}

/**
* Verify that availability returns true.
*
Expand Down

0 comments on commit 736473e

Please sign in to comment.