WordPress.org

Make WordPress Core

Ticket #15706: 15706.3.diff

File 15706.3.diff, 9.2 KB (added by helen, 8 years ago)
  • tests/phpunit/tests/ms.php

     
    837837
    838838        /**
    839839         * @ticket 21570
     840         * @ticket 15706
    840841         */
    841842        function test_aggressiveness_of_is_email_address_unsafe() {
    842                 update_site_option( 'banned_email_domains', array( 'bar.com', 'foo.co' ) );
     843                update_site_option( 'banned_email_domains', array( 'bar.com', 'foo.co', '*.foo.org', 'foo.*.gov' ) );
    843844
    844                 foreach ( array( 'test@bar.com', 'test@foo.bar.com', 'test@foo.co', 'test@subdomain.foo.co' ) as $email_address ) {
     845                foreach ( array( 'test@bar.com', 'test@foo.bar.com', 'test@foo.co', 'test@subdomain.foo.co', 'test@bar.foo.org', 'test@foo.bar.gov' ) as $email_address ) {
    845846                        $this->assertTrue( is_email_address_unsafe( $email_address ), "$email_address should be UNSAFE" );
    846847                }
    847848
    848                 foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com' ) as $email_address ) {
     849                foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com', 'test@bar.baz.foo.org', 'test@foo.bar.baz.gov' ) as $email_address ) {
    849850                        $this->assertFalse( is_email_address_unsafe( $email_address ), "$email_address should be SAFE" );
    850851                }
    851852        }
    852853
    853854        /**
    854855         * @ticket 25046
     856         * @ticket 15706
    855857         */
    856858        function test_case_sensitivity_of_is_email_address_unsafe() {
    857                 update_site_option( 'banned_email_domains', array( 'baR.com', 'Foo.co', 'barfoo.COM', 'BAZ.com' ) );
     859                update_site_option( 'banned_email_domains', array( 'baR.com', 'Foo.co', 'barfoo.COM', 'BAZ.com', '*.fOo.org', 'foo.*.Gov' ) );
    858860
    859                 foreach ( array( 'test@Bar.com', 'tEst@bar.com', 'test@barFoo.com', 'tEst@foo.bar.com', 'test@baz.Com' ) as $email_address ) {
     861                foreach ( array( 'test@Bar.com', 'tEst@bar.com', 'test@barFoo.com', 'tEst@foo.bar.com', 'test@baz.Com', 'test@bAR.foo.org', 'test@fOO.bar.gov' ) as $email_address ) {
    860862                        $this->assertTrue( is_email_address_unsafe( $email_address ), "$email_address should be UNSAFE" );
    861863                }
    862864
    863                 foreach ( array( 'test@Foobar.com', 'test@Foo-bar.com', 'tEst@foobar.com', 'test@Subdomain.Foo.com', 'test@fooBAz.com' ) as $email_address ) {
     865                foreach ( array( 'test@Foobar.com', 'test@Foo-bar.com', 'tEst@foobar.com', 'test@Subdomain.Foo.com', 'test@fooBAz.com', 'test@bar.bAZ.foo.org', 'test@foo.BAr.baz.gov' ) as $email_address ) {
    864866                        $this->assertFalse( is_email_address_unsafe( $email_address ), "$email_address should be SAFE" );
    865867                }
    866868
    867869        }
     870
    868871        /**
     872         * @ticket 15706
     873         */
     874        function test_is_email_address_allowed() {
     875                update_site_option( 'limited_email_domains', array( 'bar.com', 'foo.co', '*.foo.org', 'foo.*.gov' ) );
     876
     877                foreach ( array( 'test@bar.com', 'test@foo.bar.com', 'test@foo.co', 'test@subdomain.foo.co', 'test@bar.foo.org', 'test@foo.bar.gov' ) as $email_address ) {
     878                        $this->assertTrue( is_email_address_allowed( $email_address ), "$email_address should be UNSAFE" );
     879                }
     880
     881                foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com', 'test@bar.baz.foo.org', 'test@foo.bar.baz.gov' ) as $email_address ) {
     882                        $this->assertFalse( is_email_address_allowed( $email_address ), "$email_address should be SAFE" );
     883                }
     884
     885                update_site_option( 'limited_email_domains', '' );
     886
     887                foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com', 'test@bar.baz.foo.org', 'test@foo.bar.baz.gov' ) as $email_address ) {
     888                        $this->assertTrue( is_email_address_allowed( $email_address ), "$email_address should be SAFE" );
     889                }
     890        }
     891
     892        /**
    869893         * @ticket 21552
    870894         * @ticket 23418
    871895         */
  • src/wp-includes/formatting.php

     
    29352935                        $value = array();
    29362936
    29372937                        foreach ( $domains as $domain ) {
    2938                                 if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.])+$|', $domain ) )
     2938                                if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.\*])+$|', $domain ) )
    29392939                                        $value[] = $domain;
    29402940                        }
    29412941                        if ( ! $value )
  • src/wp-includes/ms-functions.php

     
    373373 */
    374374function is_email_address_unsafe( $user_email ) {
    375375        $banned_names = get_site_option( 'banned_email_domains' );
    376         if ( $banned_names && ! is_array( $banned_names ) )
    377                 $banned_names = explode( "\n", $banned_names );
    378376
    379         $is_email_address_unsafe = false;
     377        $is_email_domain_in_list = is_email_domain_in_list( $user_email, $banned_names );
     378        /**
     379         * Filter a check for whether an email's domain is banned.
     380         *
     381         * @since 3.5.0
     382         *
     383         * @param bool $is_email_domain_in_list True if the email domain is banned.
     384         * @param string $user_email The email provided by the user at registration.
     385         */
     386        return apply_filters( 'is_email_address_unsafe', $is_email_domain_in_list, $user_email );
     387}
    380388
    381         if ( $banned_names && is_array( $banned_names ) ) {
    382                 $banned_names = array_map( 'strtolower', $banned_names );
    383                 $normalized_email = strtolower( $user_email );
     389/**
     390 * Checks an email address against a whitelist of allowed domains.
     391 *
     392 * The email address is checked against the value of the 'limited_email_domains'
     393 * option, which is only evaluated for self-registrations. User creation from
     394 * the Network Admin bypasses this check.
     395 *
     396 * @since 3.7.0
     397 *
     398 * @param string $user_email The email provided by the user at registration.
     399 * @return bool Returns true when the email address is allowed.
     400 */
     401function is_email_address_allowed( $user_email ) {
     402        $allowed_names = get_site_option( 'limited_email_domains' );
    384403
     404        // Any address is allowed when no whitelist is present
     405        if ( empty( $allowed_names ) ) {
     406                $is_email_address_allowed = true;
     407        } else {
     408                $is_email_address_allowed = is_email_domain_in_list( $user_email, $allowed_names );
     409        }
     410
     411        /**
     412         * Filter a check for whether an email's domain is allowed via whitelist.
     413         *
     414         * @since 3.7.0
     415         *
     416         * @param bool $is_email_address_allowed True when the email address is allowed.
     417         * @param string $user_email The email provided by the user at registration.
     418         */
     419        return apply_filters( 'is_email_address_allowed', $is_email_address_allowed, $user_email );
     420}
     421
     422/**
     423 * Checks whether an email is on a whitelist/blacklist
     424 *
     425 * Used by is_email_address_unsafe() and is_email_address_allowed() to do
     426 * a wildcard-safe check of an email against an array of allowed/banned
     427 * domains.
     428 *
     429 * Any complete section of a URL (between the dots) can be represented by
     430 * a wildcard. Eg, 'test@foo.bar.com' will count as a match for '*.bar.com'.
     431 *
     432 * @since 3.7.0
     433 *
     434 * @param string       $email       The email address being checked.
     435 * @param array|string $domain_list Domains to check against.
     436 * @return bool Returns true when the email matches one of the domains on the list.
     437 */
     438function is_email_domain_in_list( $email, $domain_list ) {
     439        if ( ! is_array( $domain_list ) ) {
     440                $domain_list = explode( "\n", $domain_list );
     441        }
     442
     443        $is_in_list = false;
     444
     445        if ( $domain_list && is_array( $domain_list ) ) {
     446                $domain_list = array_map( 'strtolower', $domain_list );
     447                $normalized_email = strtolower( $email );
    385448                list( $email_local_part, $email_domain ) = explode( '@', $normalized_email );
    386449
    387                 foreach ( $banned_names as $banned_domain ) {
    388                         if ( ! $banned_domain )
     450                foreach ( $domain_list as $domain ) {
     451                        if ( ! $domain ) {
    389452                                continue;
     453                        }
    390454
    391                         if ( $email_domain == $banned_domain ) {
    392                                 $is_email_address_unsafe = true;
     455                        if ( $email_domain == $domain ) {
     456                                $is_in_list = true;
    393457                                break;
    394458                        }
    395459
    396                         $dotted_domain = ".$banned_domain";
    397                         if ( $dotted_domain === substr( $normalized_email, -strlen( $dotted_domain ) ) ) {
    398                                 $is_email_address_unsafe = true;
     460                        $dotted_domain = ".$domain";
     461                        if ( $dotted_domain === substr( $email, -strlen( $dotted_domain ) ) ) {
     462                                $is_in_list = true;
    399463                                break;
    400464                        }
     465
     466                        if ( false !== strpos( $domain, '*' ) ) {
     467                                $domain_pattern = '|' . str_replace( '\*', '[a-zA-Z0-9-]+', preg_quote( $domain ) ) . '|';
     468                                preg_match( $domain_pattern, $email_domain, $matches );
     469                                if ( isset( $matches[0] ) && $matches[0] == $email_domain ) {
     470                                        $is_in_list = true;
     471                                        break;
     472                                }
     473                        }
    401474                }
    402475        }
    403476
    404         return apply_filters( 'is_email_address_unsafe', $is_email_address_unsafe, $user_email );
     477        return $is_in_list;
    405478}
    406479
    407480/**
     
    470543        if ( !is_email( $user_email ) )
    471544                $errors->add('user_email', __( 'Please enter a valid email address.' ) );
    472545
    473         $limited_email_domains = get_site_option( 'limited_email_domains' );
    474         if ( is_array( $limited_email_domains ) && empty( $limited_email_domains ) == false ) {
    475                 $emaildomain = substr( $user_email, 1 + strpos( $user_email, '@' ) );
    476                 if ( in_array( $emaildomain, $limited_email_domains ) == false )
    477                         $errors->add('user_email', __('Sorry, that email address is not allowed!'));
    478         }
     546        if ( ! is_email_address_allowed( $user_email ) )
     547                $errors->add('user_email', __( 'Sorry, that email address is not allowed!' ) );
    479548
    480549        // Check if the username has been used already.
    481550        if ( username_exists($user_name) )