WordPress.org

Plugin Directory

jetpack

Opened 8 months ago

Closed 5 months ago

#1859 closed defect (fixed)

Contact form: remove front-end nonces

Reported by: iandunn Owned by: tmoorewp
Priority: normal Severity: normal
Plugin: jetpack Keywords: grunion contact-form plugin-compat has-patch
Cc: jeremy+wp@…, richard@…

Description

Nonces on the front-end don't serve any security purpose, and can cause errors when they're cached and then expire.

I'm getting reports of sporadic "Are you sure..." wp_die()-style error messages when users fill out contact forms on WordCamp.org and suspect they're being caused by expired front-end nonces in the contact form.

The process looks similar to this:

  1. Page with form is created
  2. Page is viewed for the first time
  3. Nonce is generated
  4. Page is cached
  5. Time passes and the nonce expires
  6. Cached version of page is viewed again
  7. Form is submitted with expired nonce
  8. User gets "Are you sure..." error and form is not submitted

Removing the nonce fixes the problem without causing any security issues, since the nonce wasn't giving any real protection in the first place.

Attachments (2)

1859.diff (1010 bytes) - added by iandunn 8 months ago.
1859.2.diff (1.2 KB) - added by iandunn 5 months ago.

Download all attachments as: .zip

Change History (8)

iandunn8 months ago

comment:1 iandunn8 months ago

  • Keywords has-patch added

1859.diff removes the nonce in the form itself, but not the nonce used after the form is submitted and the user is redirected to view the results. Removing that one would require setting up some new kind of auth mechanism, and I don't think the redirect page is as susceptible to the caching problem as the form itself.

comment:2 jeherve8 months ago

  • Cc jeremy+wp@… added
  • Keywords grunion contact-form plugin-compat added
  • Summary changed from Remove front-end nonces from contact form module to Contact form: remove front-end nonces

comment:3 richardmtl6 months ago

  • Cc richard@… added

comment:4 mdawaffe5 months ago

There should still be a nonce for logged in users.

Without a nonce, a malicious party can trick someone into submitting the form. That's not great for logged out users, but it's bad for logged in users, since the plugin claims the message was sent by a "verified account" if a logged in user submitted the form.

iandunn5 months ago

comment:5 iandunn5 months ago

1859.2.diff wraps the nonces in is_user_logged_in() instead of removing them.

comment:6 migueluy5 months ago

  • Resolution set to fixed
  • Status changed from new to closed

In 803811:

Jetpack: Contact Form: Remove nonsense nonce.
Fixes #1859
Props @iandunn

Note: See TracTickets for help on using tickets.