Ensure there are no blank spaces or line breaks around the token

Fixes #379.
WordPress · Aug 26, 2020 · b68de52 · b68de52
1 parent ad02052
commit b68de52
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/providers/class-two-factor-email.php b/providers/class-two-factor-email.php
@@ -317,7 +317,10 @@ public function validate_authentication( $user ) {
 			return false;
 		}
 
-		return $this->validate_token( $user->ID, $_REQUEST['two-factor-email-code'] );
+		// Ensure there are no spaces or line breaks around the code.
+		$code = trim( sanitize_text_field( $_REQUEST['two-factor-email-code'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already.
+
+		return $this->validate_token( $user->ID, $code );
 	}
 
 	/**