Ticket #15706: 15706.3.patch

wp-includes/formatting.php

@@ -2935 +2935 @@
                         $value = array();
 
                         foreach ( $domains as $domain ) {
-                                if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.])+$|', $domain ) )
+                                if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.\*])+$|', $domain ) )
                                         $value[] = $domain;
                         }
                         if ( ! $value )

wp-includes/ms-functions.php

@@ -373 +373 @@
  */
 function is_email_address_unsafe( $user_email ) {
         $banned_names = get_site_option( 'banned_email_domains' );
-        if ( $banned_names && ! is_array( $banned_names ) )
-                $banned_names = explode( "\n", $banned_names );
 
-        $is_email_address_unsafe = false;
+        return apply_filters( 'is_email_address_unsafe', is_email_domain_in_list( $user_email, $banned_names ), $user_email );
+}
 
-        if ( $banned_names && is_array( $banned_names ) ) {
-                list( $email_local_part, $email_domain ) = explode( '@', $user_email );
+/**
+ * Checks an email address against a whitelist of allowed domains.
+ *
+ * This function checks against the Limited Email Domains list
+ * at wp-admin/network/settings.php. The check is only run on
+ * self-registrations; user creation at wp-admin/network/users.php
+ * bypasses this check.
+ *
+ * @since 3.7
+ *
+ * @param string $user_email The email provided by the user at registration.
+ * @return bool Returns true when the email address is allowed.
+ */
+function is_email_address_allowed( $user_email ) {
+        $allowed_names = get_site_option( 'limited_email_domains' );
 
-                foreach ( $banned_names as $banned_domain ) {
-                        if ( ! $banned_domain )
+        // Any address is allowed when no whitelist is present
+        if ( empty( $allowed_names ) ) {
+                $is_email_address_allowed = true;
+        } else {
+                $is_email_address_allowed = is_email_domain_in_list( $user_email, $allowed_names );
+        }
+
+        return apply_filters( 'is_email_address_allowed', $is_email_address_allowed, $user_email );
+}
+
+/**
+ * Checks whether an email is on a whitelist/blacklist
+ *
+ * Used by is_email_address_unsafe() and is_email_address_allowed() to do
+ * a wildcard-safe check of an email against an array of allowed/banned
+ * domains.
+ *
+ * Any complete section of a URL (between the dots) can be represented by
+ * a wildcard. Eg, 'test@foo.bar.com' will count as a match for '*.bar.com'.
+ *
+ * @since 3.7
+ *
+ * @param string $email The email address being checked
+ * @param array|string $domain_list Domains to check against
+ * @return bool Returns true when the email matches one of the domains on
+ *   the list
+ */
+function is_email_domain_in_list( $email, $domain_list ) {
+        if ( ! is_array( $domain_list ) ) {
+                $domain_list = explode( "\n", $domain_list );
+        }
+
+        $is_in_list = false;
+
+        if ( $domain_list && is_array( $domain_list ) ) {
+                list( $email_local_part, $email_domain ) = explode( '@', $email );
+
+                foreach ( $domain_list as $domain ) {
+                        if ( ! $domain ) {
                                 continue;
+                        }
 
-                        if ( $email_domain == $banned_domain ) {
-                                $is_email_address_unsafe = true;
+                        if ( $email_domain == $domain ) {
+                                $is_in_list = true;
                                 break;
                         }
 
-                        $dotted_domain = ".$banned_domain";
-                        if ( $dotted_domain === substr( $user_email, -strlen( $dotted_domain ) ) ) {
-                                $is_email_address_unsafe = true;
+                        $dotted_domain = ".$domain";
+                        if ( $dotted_domain === substr( $email, -strlen( $dotted_domain ) ) ) {
+                                $is_in_list = true;
                                 break;
                         }
+
+                        if ( false !== strpos( $domain, '*' ) ) {
+                                $domain_pattern = '|' . str_replace( '\*', '[a-zA-Z0-9-]+', preg_quote( $domain ) ) . '|';
+                                preg_match( $domain_pattern, $email_domain, $matches );
+                                if ( isset( $matches[0] ) && $matches[0] == $email_domain ) {
+                                        $is_in_list = true;
+                                        break;
+                                }
+                        }
                 }
+
+                return $is_in_list;
         }
-
-        return apply_filters( 'is_email_address_unsafe', $is_email_address_unsafe, $user_email );
 }
 
 /**
@@ -467 +526 @@
         if ( !is_email( $user_email ) )
                 $errors->add('user_email', __( 'Please enter a valid email address.' ) );
 
+        if ( ! is_email_address_allowed( $user_email ) ) {
         $limited_email_domains = get_site_option( 'limited_email_domains' );
-        if ( is_array( $limited_email_domains ) && empty( $limited_email_domains ) == false ) {
-                $emaildomain = substr( $user_email, 1 + strpos( $user_email, '@' ) );
-                if ( in_array( $emaildomain, $limited_email_domains ) == false )
-                        $errors->add('user_email', __('Sorry, that email address is not allowed!'));
+                $errors->add('user_email', __('Sorry, that email address is not allowed!'));
         }
 
         // Check if the username has been used already.