Givewp: Donation form should have nonce verification.

Created on 21 Dec 2017  ยท  3Comments  ยท  Source: impress-org/givewp

Issue Overview


It seems like donation form missing nonce verification, we have global JS variable give_global_vars.checkout_nonce but not passing anywhere when submitting donation form.

dsfdsf

Expected Behavior


  • Donation form should have nonce verification to prevent to get hacked.

Current Behavior


  • Don't find nonce verification in donation creating processing.

Todos

  • [ ] Tests
  • [ ] Documentation

WordPress Environment

### WordPress Environment ###

Home URL: http://localhost/givefortest/18
Site URL: http://localhost/givefortest/18
WP Version: 4.9.1
WP Multisite: โ€“
WP Memory Limit: 256 MB
WP Debug Mode: โœ”
WP Cron: โœ”
Language: en_US
Permalink Structure: /%year%/%monthnum%/%day%/%postname%/
Show on Front: posts
Table Prefix Length: 3
Table Prefix Status: Acceptable
Admin AJAX: Inaccessible
Registered Post Statuses: publish, future, draft, pending, private, trash, auto-draft, inherit, refunded, failed, revoked, cancelled, abandoned, processing, preapproval

### Server Environment ###

Hosting Provider: DBH: localhost, SRV: localhost
TLS Connection: Connection uses TLS 1.2
TLS Connection: Probably Okay
Server Info: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/7.0.18
PHP Version: 7.0.18
PHP Post Max Size: 8 MB
PHP Time Limit: 0
PHP Max Input Vars: 1000
PHP Max Upload Size: 2 MB
cURL Version: 7.51.0, OpenSSL/1.0.2j
SUHOSIN Installed: โ€“
Default Timezone is UTC: โœ”
fsockopen/cURL: โœ”
SoapClient: โŒ Your server does not have the SoapClient class enabled - some gateway plugins which use SOAP may not work as expected.
DOMDocument: โœ”
gzip: โœ”
GD Graphics Library: โœ”
Multibyte String: โœ”
Remote Post: โœ”
Remote Get: โœ”

### Give Configuration ###

Give Version: 1.8.19
Database Updates: All DB Updates Completed.
Upgraded From: โ€“
Test Mode: Enabled
Currency Code: USD
Currency Position: Before
Decimal Separator: .
Thousands Separator: ,
Success Page: http://localhost/givefortest/18/donation-confirmation/
Failure Page: http://localhost/givefortest/18/donation-failed/
Donation History Page: http://localhost/givefortest/18/donation-history/
Give Forms Slug: /donations/
Enabled Payment Gateways: Test Donation, Offline Donation
Default Payment Gateway: Offline Donation
PayPal IPN Verification: Enabled
PayPal IPN Notifications: N/A
Admin Email Notifications: Enabled
Donor Email Access: Enabled

### Session Configuration ###

Give Use Sessions: Enabled
Session: Disabled

### Active Give Add-ons ###

Give - Stripe Gateway: โŒ Unlicensed โ€“ by WordImpress โ€“ 1.5.1

### Other Active Plugins ###


### Inactive Plugins ###

Akismet Anti-Spam: by Automattic โ€“ 4.0.1
Give - Fee Recovery: by WordImpress โ€“ 1.3.4
Hello Dolly: by Matt Mullenweg โ€“ 1.6

### Theme ###

Name: Twenty Seventeen
Version: 1.4
Author URL: https://wordpress.org/
Child Theme: No โ€“ If you're modifying Give on a parent theme you didn't build personally, then we recommend using a child theme. See: How to Create a Child Theme

Most helpful comment

@emgk Create a general function for nonce validation which we can use anywhere in donation form processing.

function give_verify_donation_form_nonce(){}

All 3 comments

The nonce should be renamed to donation_form_nonce and checked at form validation.

This Nonce should be used when changing the Country in the Billing Details Section

@emgk Create a general function for nonce validation which we can use anywhere in donation form processing.

function give_verify_donation_form_nonce(){}
Was this page helpful?
0 / 5 - 0 ratings