localhost is not accepted as email domain

[sanvila]

Hi. Tried to install WordPress on a Debian machine not connected to Internet, only for testing purposes, so when the setup procedure asked me for an email address, I used mylogin@localhost. The setup procedure, however, rejected this as "invalid".

I think the bug is exactly in wp-includes/formatting.php, where it says:

        // Assume the domain will have at least two subs
        if ( 2 > count( $subs ) ) {
                return apply_filters( 'is_email', false, $email, 'domain_no_periods' );
        }

So: Could you please special-case "localhost" in is_email() so that it's allowed as email domain?

I guess the probability of someone using @localhost for email "by mistake" is extremely low, so this change will unlikely harm the average user.

Thanks.

[sivel]

Why not just use email@localhost.localdomain ? That should work without issue.

[sanvila]

There are several reasons:

a) localhost is shorter and I expected it to work.

b) My MTA is usually not configured to accept mail for localhost.localdomain. I have never had a need for that in 15 years.

What's the problem with supporting localhost since it's correct?

BTW: The default value for DB_HOST in wp-config-sample.php is localhost. It would be somewhat contradictory that localhost is not even accepted for email!

[toscho]

PHP 5.2 is now a requirement, so we should use the ​filter functions which allow me@localhost. See the plugin ​Extend Email Checks for an example.

[kurtpayne]

This patch will allow dotless e-mail domains as long as the server can resolve the domain via a DNS lookup. It should allow "localhost" and other development domains, but prevent "fakedomain" (unless fakedomain resolves on your network).

If DNS times out on an invalid dotless domain, there may be a delay of up to 2 seconds. This should be encountered rarely, but, due to the stacking of sanitize_email() and is_email() may be encountered twice in a row.

Thoughts about this approach?

[westi]

Replying to kurtpayne:

This patch will allow dotless e-mail domains as long as the server can resolve the domain via a DNS lookup. It should allow "localhost" and other development domains, but prevent "fakedomain" (unless fakedomain resolves on your network).

If DNS times out on an invalid dotless domain, there may be a delay of up to 2 seconds. This should be encountered rarely, but, due to the stacking of sanitize_email() and is_email() may be encountered twice in a row.

Thoughts about this approach?

We don't want to add dns lookups to every call to is_email as it could slow down a site unnecessary and lead to other issues.

In general we should probably consider moving all of our validation filtering like this to use the filter_var stuff in PHP 5.2 now it is available to us.

[kurtpayne]

Use filter_var to validate / sanitize e-mail addresses

[kurtpayne]

@westi I was ready to disagree and defend "user@localhost" as a valid address, but I dug into this a bit more and found this post on ​stackoverflow.com which changed my mind. The php developers who wrote the e-mail filter don't allow short domains because only FQDNs are allowed in SMTP servers according to RFC 5321.

Submitting patch 17433-2.diff to switch to email code to filter_var() as you and @toscho suggested.

[nacin]

Switching to filter_var() is a major design decision. We can move faster than PHP versions; filter_var() has had a lot of bugs over the years that don't get fixed until later versions of PHP if at all; etc. We need to study this carefully. And, yes, OMG it needs unit tests, and lots of them. The worst thing that we could do moving to filter_var() is regressing in other areas, as unlikely it may be here.

Simply whitelisting 'localhost' seems like a good in-the-meantime solution.

[nofearinc]

What RFC or specification is being followed for email addresses? We could probably agree on some rules and add 50 more tests to the formatting phpunit group of is_email validations, and start from there with any refactoring.

Another good question is whether any framework or CMS out there is doing it better, so that we could get some inspiration from there?

Related: #17491, #21730, #25108, #30039

[salcode]

whitelist localhost domain for email addresses

[salcode]

I've added patch 17433-3.diff, which whitelists localhost as suggested above by Nacin.

This modifies is_email() (as listed in the original description) and sanitize_email(), which was also had to be modified.

[salcode]

Updated to remove redundant check for single domain

[salcode]

I think we can remove the following check from sanitize_email()

	// Assume the domain will have at least two subs, whitelist localhost
	if ( 2 > count( $subs ) && 'localhost' !== strtolower( $domain ) ) {
		/** This filter is documented in wp-includes/formatting.php */
		return apply_filters( 'sanitize_email', '', $email, 'domain_no_periods' );
	}

because it is redundant with this check later in the function

	// If there aren't 2 or more valid subs, whitelist localhost
	if ( 2 > count( $new_subs ) && 'localhost' !== strtolower( $domain ) ) {
		/** This filter is documented in wp-includes/formatting.php */
		return apply_filters( 'sanitize_email', '', $email, 'domain_no_valid_subs' );
	}

I've updated this patch with 17433-4.diff

[ocean90]

#43108 was marked as a duplicate.