Opened 15 years ago
Closed 15 years ago
#2289 closed defect (bug) (fixed)
Spam accounts bypassing 'bp_signup_validate' action [HAS PATCH]
Reported by: |
|
Owned by: | |
---|---|---|---|
Milestone: | 1.2.4 | Priority: | major |
Severity: | Version: | ||
Component: | Core | Keywords: | has-patch |
Cc: |
Description
I have a function hooked onto the 'bp_signup_validate' action in which I validate user signups. It works correctly when going through the normal signup steps, but somehow spammers are able to create accounts that aren't validated by the 'bp_signup_validate' action.
I'm not sure how they are doing it exactly, but I did find some code in bp-core-signup that appears to provide a hole for spammers. The bp_core_wpsignup_redirect() function calls wp_redirect to redirect from wp-signup.php to the BP register page, but it doesn't call die() after redirect, so it would appear that the wp-signup.php code would still get executed. The correct function to call would be bp_core_redirect() (see attached patch) or at least call die() after wp_redirect().
(In [2930]) Fixes #2289 props rvenable