- +
@@ -317,7 +317,10 @@ public function validate_authentication( $user ) { return false; } - return $this->validate_token( $user->ID, $_REQUEST['two-factor-email-code'] ); + // Ensure there are no spaces or line breaks around the code. + $code = trim( sanitize_text_field( $_REQUEST['two-factor-email-code'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already. + + return $this->validate_token( $user->ID, $code ); } /** diff --git a/tests/providers/class-two-factor-email.php b/tests/providers/class-two-factor-email.php index a53a02dc..fd957df0 100644 --- a/tests/providers/class-two-factor-email.php +++ b/tests/providers/class-two-factor-email.php @@ -206,6 +206,22 @@ public function test_validate_authentication() { unset( $_REQUEST['two-factor-email-code'] ); } + /** + * Can strip away blank spaces and new line characters in code input. + * + * @covers Two_Factor_Email::validate_authentication + */ + public function test_validate_authentication_code_with_spaces() { + $user = new WP_User( $this->factory->user->create() ); + + $token = $this->provider->generate_token( $user->ID ); + $_REQUEST['two-factor-email-code'] = sprintf( ' %s ', $token ); + + $this->assertTrue( $this->provider->validate_authentication( $user ) ); + + unset( $_REQUEST['two-factor-email-code'] ); + } + /** * Verify that availability returns true. *