Fix form security validation

This commit is contained in:
champsupertramp
2016-02-20 15:47:27 +08:00
parent 6209f0360d
commit 4dc3169a74
+11 -10
View File
@@ -83,20 +83,21 @@ class UM_Form {
$role = $this->assigned_role( $this->form_id );
if ( isset( $this->form_data['role'] ) && ( (boolean) $this->form_data['role'] ) && isset( $_POST['role'] ) && $_POST['role'] != $role ) {
wp_die( __( 'This is not possible for security reasons.','ultimatemember') );
} else {
if ( isset( $this->form_data['custom_fields'] ) && strstr( $this->form_data['custom_fields'], 'role_' ) ) {
// In this case, admin allowed users to choose a role during registration
if( $role ){ // has assigned role. Validate non-global forms
if ( isset( $this->form_data['role'] ) && ( (boolean) $this->form_data['role'] ) && isset( $_POST['role'] ) && $_POST['role'] != $role ) {
wp_die( __( 'This is not possible for security reasons.','ultimatemember') );
} else {
if ( isset( $_POST['role'] ) ) {
if ( $role != $_POST['role'] ) {
wp_die( __( 'This is not possible for security reasons.','ultimatemember') );
if ( isset( $this->form_data['custom_fields'] ) && strstr( $this->form_data['custom_fields'], 'role_' ) ) {
// In this case, admin allowed users to choose a role during registration
} else {
if ( isset( $_POST['role'] ) ) {
if ( $role != $_POST['role'] ) {
wp_die( __( 'This is not possible for security reasons.','ultimatemember') );
}
}
}
}
}
if ( isset( $_POST[ $ultimatemember->honeypot ] ) && $_POST[ $ultimatemember->honeypot ] != '' )
wp_die('Hello, spam bot!');
@@ -172,7 +173,7 @@ class UM_Form {
$role = get_post_meta( $post_id, '_um_register_role', true );
if( ! $role ){
$role = um_get_option('default_role');
$role = false;
}
return $role;
}