Ticket #15706: 15706.4.diff
File 15706.4.diff, 8.7 KB (added by , 11 years ago) |
---|
-
src/wp-includes/formatting.php
2935 2935 $value = array(); 2936 2936 2937 2937 foreach ( $domains as $domain ) { 2938 if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\. ])+$|', $domain ) )2938 if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.\*])+$|', $domain ) ) 2939 2939 $value[] = $domain; 2940 2940 } 2941 2941 if ( ! $value ) -
src/wp-includes/ms-functions.php
373 373 */ 374 374 function is_email_address_unsafe( $user_email ) { 375 375 $banned_names = get_site_option( 'banned_email_domains' ); 376 if ( $banned_names && ! is_array( $banned_names ) )377 $banned_names = explode( "\n", $banned_names );378 376 379 $is_email_address_unsafe = false; 377 return apply_filters( 'is_email_address_unsafe', is_email_domain_in_list( $user_email, $banned_names ), $user_email ); 378 } 380 379 381 if ( $banned_names && is_array( $banned_names ) ) { 382 $banned_names = array_map( 'strtolower', $banned_names ); 383 $normalized_email = strtolower( $user_email ); 380 /** 381 * Checks an email address against a whitelist of allowed domains. 382 * 383 * This function checks against the Limited Email Domains list 384 * at wp-admin/network/settings.php. The check is only run on 385 * self-registrations; user creation at wp-admin/network/users.php 386 * bypasses this check. 387 * 388 * @since 3.7 389 * 390 * @param string $user_email The email provided by the user at registration. 391 * @return bool Returns true when the email address is allowed. 392 */ 393 function is_email_address_allowed( $user_email ) { 394 $allowed_names = get_site_option( 'limited_email_domains' ); 384 395 396 // Any address is allowed when no whitelist is present 397 if ( empty( $allowed_names ) ) { 398 $is_email_address_allowed = true; 399 } else { 400 $is_email_address_allowed = is_email_domain_in_list( $user_email, $allowed_names ); 401 } 402 403 return apply_filters( 'is_email_address_allowed', $is_email_address_allowed, $user_email ); 404 } 405 406 /** 407 * Checks whether an email is on a whitelist/blacklist 408 * 409 * Used by is_email_address_unsafe() and is_email_address_allowed() to do 410 * a wildcard-safe check of an email against an array of allowed/banned 411 * domains. 412 * 413 * Any complete section of a URL (between the dots) can be represented by 414 * a wildcard. Eg, 'test@foo.bar.com' will count as a match for '*.bar.com'. 415 * 416 * @since 3.7 417 * 418 * @param string $email The email address being checked 419 * @param array|string $domain_list Domains to check against 420 * @return bool Returns true when the email matches one of the domains on 421 * the list 422 */ 423 function is_email_domain_in_list( $email, $domain_list ) { 424 if ( ! is_array( $domain_list ) ) { 425 $domain_list = explode( "\n", $domain_list ); 426 } 427 428 $is_in_list = false; 429 430 if ( $domain_list && is_array( $domain_list ) ) { 431 $domain_list = array_map( 'strtolower', $domain_list ); 432 $normalized_email = strtolower( $email ); 385 433 list( $email_local_part, $email_domain ) = explode( '@', $normalized_email ); 386 434 387 foreach ( $ banned_names as $banned_domain ) {388 if ( ! $ banned_domain )435 foreach ( $domain_list as $domain ) { 436 if ( ! $domain ) { 389 437 continue; 438 } 390 439 391 if ( $email_domain == $ banned_domain ) {392 $is_ email_address_unsafe= true;440 if ( $email_domain == $domain ) { 441 $is_in_list = true; 393 442 break; 394 443 } 395 444 396 $dotted_domain = ".$ banned_domain";397 if ( $dotted_domain === substr( $ normalized_email, -strlen( $dotted_domain ) ) ) {398 $is_ email_address_unsafe= true;445 $dotted_domain = ".$domain"; 446 if ( $dotted_domain === substr( $email, -strlen( $dotted_domain ) ) ) { 447 $is_in_list = true; 399 448 break; 400 449 } 450 451 if ( false !== strpos( $domain, '*' ) ) { 452 $domain_pattern = '|' . str_replace( '\*', '[a-zA-Z0-9-]+', preg_quote( $domain ) ) . '|'; 453 preg_match( $domain_pattern, $email_domain, $matches ); 454 if ( isset( $matches[0] ) && $matches[0] == $email_domain ) { 455 $is_in_list = true; 456 break; 457 } 458 } 401 459 } 402 }460 } 403 461 404 return apply_filters( 'is_email_address_unsafe', $is_email_address_unsafe, $user_email );462 return $is_in_list; 405 463 } 406 464 407 465 /** … … 470 528 if ( !is_email( $user_email ) ) 471 529 $errors->add('user_email', __( 'Please enter a valid email address.' ) ); 472 530 473 $limited_email_domains = get_site_option( 'limited_email_domains' ); 474 if ( is_array( $limited_email_domains ) && empty( $limited_email_domains ) == false ) { 475 $emaildomain = substr( $user_email, 1 + strpos( $user_email, '@' ) ); 476 if ( in_array( $emaildomain, $limited_email_domains ) == false ) 477 $errors->add('user_email', __('Sorry, that email address is not allowed!')); 478 } 531 if ( ! is_email_address_allowed( $user_email ) ) 532 $errors->add('user_email', __('Sorry, that email address is not allowed!')); 479 533 480 534 // Check if the username has been used already. 481 535 if ( username_exists($user_name) ) -
tests/phpunit/tests/ms.php
Cannot display: file marked as a binary type. svn:mime-type = application/octet-stream
839 839 * @ticket 21570 840 840 */ 841 841 function test_aggressiveness_of_is_email_address_unsafe() { 842 update_site_option( 'banned_email_domains', array( 'bar.com', 'foo.co' ) );842 update_site_option( 'banned_email_domains', array( 'bar.com', 'foo.co', '*.foo.org', 'foo.*.gov' ) ); 843 843 844 foreach ( array( 'test@bar.com', 'test@foo.bar.com', 'test@foo.co', 'test@subdomain.foo.co' ) as $email_address ) {844 foreach ( array( 'test@bar.com', 'test@foo.bar.com', 'test@foo.co', 'test@subdomain.foo.co', 'test@bar.foo.org', 'test@foo.bar.gov' ) as $email_address ) { 845 845 $this->assertTrue( is_email_address_unsafe( $email_address ), "$email_address should be UNSAFE" ); 846 846 } 847 847 848 foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com' ) as $email_address ) {848 foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com', 'test@bar.baz.foo.org', 'test@foo.bar.baz.gov' ) as $email_address ) { 849 849 $this->assertFalse( is_email_address_unsafe( $email_address ), "$email_address should be SAFE" ); 850 850 } 851 851 } … … 854 854 * @ticket 25046 855 855 */ 856 856 function test_case_sensitivity_of_is_email_address_unsafe() { 857 update_site_option( 'banned_email_domains', array( 'baR.com', 'Foo.co', 'barfoo.COM', 'BAZ.com' ) );857 update_site_option( 'banned_email_domains', array( 'baR.com', 'Foo.co', 'barfoo.COM', 'BAZ.com', '*.fOo.org', 'foo.*.Gov' ) ); 858 858 859 foreach ( array( 'test@Bar.com', 'tEst@bar.com', 'test@barFoo.com', 'tEst@foo.bar.com', 'test@baz.Com' ) as $email_address ) {859 foreach ( array( 'test@Bar.com', 'tEst@bar.com', 'test@barFoo.com', 'tEst@foo.bar.com', 'test@baz.Com', 'test@bAR.foo.org', 'test@fOO.bar.gov' ) as $email_address ) { 860 860 $this->assertTrue( is_email_address_unsafe( $email_address ), "$email_address should be UNSAFE" ); 861 861 } 862 862 863 foreach ( array( 'test@Foobar.com', 'test@Foo-bar.com', 'tEst@foobar.com', 'test@Subdomain.Foo.com', 'test@fooBAz.com' ) as $email_address ) {863 foreach ( array( 'test@Foobar.com', 'test@Foo-bar.com', 'tEst@foobar.com', 'test@Subdomain.Foo.com', 'test@fooBAz.com', 'test@bar.bAZ.foo.org', 'test@foo.BAr.baz.gov' ) as $email_address ) { 864 864 $this->assertFalse( is_email_address_unsafe( $email_address ), "$email_address should be SAFE" ); 865 865 } 866 866 867 867 } 868 869 function test_is_email_address_allowed() { 870 update_site_option( 'limited_email_domains', array( 'bar.com', 'foo.co', '*.foo.org', 'foo.*.gov' ) ); 871 872 foreach ( array( 'test@bar.com', 'test@foo.bar.com', 'test@foo.co', 'test@subdomain.foo.co', 'test@bar.foo.org', 'test@foo.bar.gov' ) as $email_address ) { 873 $this->assertTrue( is_email_address_allowed( $email_address ), "$email_address should be UNSAFE" ); 874 } 875 876 foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com', 'test@bar.baz.foo.org', 'test@foo.bar.baz.gov' ) as $email_address ) { 877 $this->assertFalse( is_email_address_allowed( $email_address ), "$email_address should be SAFE" ); 878 } 879 880 update_site_option( 'limited_email_domains', '' ); 881 882 foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com', 'test@bar.baz.foo.org', 'test@foo.bar.baz.gov' ) as $email_address ) { 883 $this->assertTrue( is_email_address_allowed( $email_address ), "$email_address should be SAFE" ); 884 } 885 } 886 868 887 /** 869 888 * @ticket 21552 870 889 * @ticket 23418