From b68de5219410b4151b6df308c6d7feb2ef35e5bf Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Wed, 26 Aug 2020 12:44:34 +0300 Subject: [PATCH 1/3] Ensure there are no blank spaces or line breaks around the token Fixes #379. --- providers/class-two-factor-email.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/providers/class-two-factor-email.php b/providers/class-two-factor-email.php index 9a644e32..8bb83ae3 100644 --- a/providers/class-two-factor-email.php +++ b/providers/class-two-factor-email.php @@ -317,7 +317,10 @@ public function validate_authentication( $user ) { return false; } - return $this->validate_token( $user->ID, $_REQUEST['two-factor-email-code'] ); + // Ensure there are no spaces or line breaks around the code. + $code = trim( sanitize_text_field( $_REQUEST['two-factor-email-code'] ) ); // phpcs:ignore WordPress.Security.NonceVerification.Recommended, handled by the core method already. + + return $this->validate_token( $user->ID, $code ); } /** From 8c5584b6c0f2eddaf312944cb7cf21bd57331ffd Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Wed, 26 Aug 2020 12:47:54 +0300 Subject: [PATCH 2/3] =?UTF-8?q?Code=20might=20contain=20spaces=20=E2=80=94?= =?UTF-8?q?=20we=E2=80=99ll=20strip=20them=20away=20during=20processing?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- providers/class-two-factor-email.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/providers/class-two-factor-email.php b/providers/class-two-factor-email.php index 8bb83ae3..94fd8448 100644 --- a/providers/class-two-factor-email.php +++ b/providers/class-two-factor-email.php @@ -269,7 +269,7 @@ public function authentication_page( $user ) {

- +

From e200e0ee43be4b0e69f1a2883845fe23695c1ba5 Mon Sep 17 00:00:00 2001 From: Kaspars Dambis Date: Wed, 26 Aug 2020 12:50:22 +0300 Subject: [PATCH 3/3] Add a test for the blank thing --- tests/providers/class-two-factor-email.php | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/tests/providers/class-two-factor-email.php b/tests/providers/class-two-factor-email.php index a53a02dc..fd957df0 100644 --- a/tests/providers/class-two-factor-email.php +++ b/tests/providers/class-two-factor-email.php @@ -206,6 +206,22 @@ public function test_validate_authentication() { unset( $_REQUEST['two-factor-email-code'] ); } + /** + * Can strip away blank spaces and new line characters in code input. + * + * @covers Two_Factor_Email::validate_authentication + */ + public function test_validate_authentication_code_with_spaces() { + $user = new WP_User( $this->factory->user->create() ); + + $token = $this->provider->generate_token( $user->ID ); + $_REQUEST['two-factor-email-code'] = sprintf( ' %s ', $token ); + + $this->assertTrue( $this->provider->validate_authentication( $user ) ); + + unset( $_REQUEST['two-factor-email-code'] ); + } + /** * Verify that availability returns true. *