Ticket #15706: 15706.4.patch
| File 15706.4.patch, 9.4 KB (added by , 11 years ago) |
|---|
-
src/wp-includes/formatting.php
diff --git src/wp-includes/formatting.php src/wp-includes/formatting.php index 58b4f9d..0532f58 100644
function sanitize_option($option, $value) { 2935 2935 $value = array(); 2936 2936 2937 2937 foreach ( $domains as $domain ) { 2938 if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\. ])+$|', $domain ) )2938 if ( ! preg_match( '/(--|\.\.)/', $domain ) && preg_match( '|^([a-zA-Z0-9-\.\*])+$|', $domain ) ) 2939 2939 $value[] = $domain; 2940 2940 } 2941 2941 if ( ! $value ) -
src/wp-includes/ms-functions.php
diff --git src/wp-includes/ms-functions.php src/wp-includes/ms-functions.php index 6620998..0955a04 100644
function get_blog_id_from_url( $domain, $path = '/' ) { 373 373 */ 374 374 function is_email_address_unsafe( $user_email ) { 375 375 $banned_names = get_site_option( 'banned_email_domains' ); 376 if ( $banned_names && ! is_array( $banned_names ) )377 $banned_names = explode( "\n", $banned_names );378 376 379 $is_email_address_unsafe = false; 377 $is_email_domain_in_list = is_domain_in_list( $user_email, $banned_names ); 378 /** 379 * Filter a check for whether an email's domain is banned. 380 * 381 * @since 3.5.0 382 * 383 * @param bool $is_email_domain_in_list True if the email domain is banned. 384 * @param string $user_email The email provided by the user at registration. 385 */ 386 return apply_filters( 'is_email_address_unsafe', $is_email_domain_in_list, $user_email ); 387 } 388 389 /** 390 * Checks an email address against a whitelist of allowed domains. 391 * 392 * The email address is checked against the value of the 'limited_email_domains' 393 * option, which is only evaluated for self-registrations. User creation from 394 * the Network Admin bypasses this check. 395 * 396 * @since 3.7.0 397 * 398 * @param string $user_email The email provided by the user at registration. 399 * @return bool Returns true when the email address is allowed. 400 */ 401 function is_email_address_allowed( $user_email ) { 402 $allowed_names = get_site_option( 'limited_email_domains' ); 403 404 // Any address is allowed when no whitelist is present 405 if ( empty( $allowed_names ) ) { 406 $is_email_address_allowed = true; 407 } else { 408 $is_email_address_allowed = is_domain_in_list( $user_email, $allowed_names ); 409 } 410 411 /** 412 * Filter a check for whether an email's domain is allowed via whitelist. 413 * 414 * @since 3.7.0 415 * 416 * @param bool $is_email_address_allowed True when the email address is allowed. 417 * @param string $user_email The email provided by the user at registration. 418 */ 419 return apply_filters( 'is_email_address_allowed', $is_email_address_allowed, $user_email ); 420 } 421 422 /** 423 * Checks whether an email or domain is on a domain whitelist/blacklist 424 * 425 * Used by is_email_address_unsafe() and is_email_address_allowed() to do 426 * a wildcard-safe check of an email against an array of allowed/banned 427 * domains. 428 * 429 * Any complete section of a URL (between the dots) can be represented by 430 * a wildcard. Eg, 'test@foo.bar.com' will count as a match for '*.bar.com'. 431 * 432 * @since 3.7.0 433 * 434 * @param string $domain The string being checked (email or domain). 435 * @param array|string $domain_list Domains to check against. 436 * @return bool Returns true when the email matches one of the domains on the list. 437 */ 438 function is_domain_in_list( $domain, $domain_list ) { 439 if ( ! is_array( $domain_list ) ) { 440 $domain_list = explode( "\n", $domain_list ); 441 } 380 442 381 if ( $banned_names && is_array( $banned_names ) ) { 382 $banned_names = array_map( 'strtolower', $banned_names ); 383 $normalized_email = strtolower( $user_email ); 443 // If $domain is a full email address, parse out the domain 444 $atsign = strpos( $domain, '@' ); 445 if ( false !== $atsign ) { 446 $domain = substr( $domain, $atsign + 1 ); 447 } 384 448 385 list( $email_local_part, $email_domain ) = explode( '@', $normalized_email );449 $is_in_list = false; 386 450 387 foreach ( $banned_names as $banned_domain ) { 388 if ( ! $banned_domain ) 451 if ( $domain_list && is_array( $domain_list ) ) { 452 $domain_list = array_map( 'strtolower', $domain_list ); 453 $domain = strtolower( $domain ); 454 455 foreach ( $domain_list as $listed_domain ) { 456 if ( ! $listed_domain ) { 389 457 continue; 458 } 390 459 391 if ( $ email_domain == $banned_domain ) {392 $is_ email_address_unsafe= true;460 if ( $domain == $listed_domain ) { 461 $is_in_list = true; 393 462 break; 394 463 } 395 464 396 $dotted_domain = ".$ banned_domain";397 if ( $dotted_domain === substr( $ normalized_email, -strlen( $dotted_domain ) ) ) {398 $is_ email_address_unsafe= true;465 $dotted_domain = ".$listed_domain"; 466 if ( $dotted_domain === substr( $domain, -strlen( $dotted_domain ) ) ) { 467 $is_in_list = true; 399 468 break; 400 469 } 470 471 if ( false !== strpos( $listed_domain, '*' ) ) { 472 $domain_pattern = '|' . str_replace( '\*', '[a-zA-Z0-9-]+', preg_quote( $listed_domain ) ) . '|'; 473 preg_match( $domain_pattern, $domain, $matches ); 474 if ( isset( $matches[0] ) && $matches[0] == $domain ) { 475 $is_in_list = true; 476 break; 477 } 478 } 401 479 } 402 480 } 403 481 404 return apply_filters( 'is_email_address_unsafe', $is_email_address_unsafe, $user_email );482 return $is_in_list; 405 483 } 406 484 407 485 /** … … function wpmu_validate_user_signup($user_name, $user_email) { 470 548 if ( !is_email( $user_email ) ) 471 549 $errors->add('user_email', __( 'Please enter a valid email address.' ) ); 472 550 473 $limited_email_domains = get_site_option( 'limited_email_domains' ); 474 if ( is_array( $limited_email_domains ) && empty( $limited_email_domains ) == false ) { 475 $emaildomain = substr( $user_email, 1 + strpos( $user_email, '@' ) ); 476 if ( in_array( $emaildomain, $limited_email_domains ) == false ) 477 $errors->add('user_email', __('Sorry, that email address is not allowed!')); 478 } 551 if ( ! is_email_address_allowed( $user_email ) ) 552 $errors->add('user_email', __( 'Sorry, that email address is not allowed!' ) ); 479 553 480 554 // Check if the username has been used already. 481 555 if ( username_exists($user_name) ) -
tests/phpunit/tests/ms.php
diff --git tests/phpunit/tests/ms.php tests/phpunit/tests/ms.php index 34c35a0..c279128 100644
class Tests_MS extends WP_UnitTestCase { 897 897 898 898 /** 899 899 * @ticket 21570 900 * @ticket 15706 900 901 */ 901 902 function test_aggressiveness_of_is_email_address_unsafe() { 902 update_site_option( 'banned_email_domains', array( 'bar.com', 'foo.co' ) );903 update_site_option( 'banned_email_domains', array( 'bar.com', 'foo.co', '*.foo.org', 'foo.*.gov' ) ); 903 904 904 foreach ( array( 'test@bar.com', 'test@foo.bar.com', 'test@foo.co', 'test@subdomain.foo.co' ) as $email_address ) {905 foreach ( array( 'test@bar.com', 'test@foo.bar.com', 'test@foo.co', 'test@subdomain.foo.co', 'test@bar.foo.org', 'test@foo.bar.gov' ) as $email_address ) { 905 906 $this->assertTrue( is_email_address_unsafe( $email_address ), "$email_address should be UNSAFE" ); 906 907 } 907 908 908 foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com' ) as $email_address ) {909 foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com', 'test@bar.baz.foo.org', 'test@foo.bar.baz.gov' ) as $email_address ) { 909 910 $this->assertFalse( is_email_address_unsafe( $email_address ), "$email_address should be SAFE" ); 910 911 } 911 912 } 912 913 913 914 /** 914 915 * @ticket 25046 916 * @ticket 15706 915 917 */ 916 918 function test_case_sensitivity_of_is_email_address_unsafe() { 917 update_site_option( 'banned_email_domains', array( 'baR.com', 'Foo.co', 'barfoo.COM', 'BAZ.com' ) );919 update_site_option( 'banned_email_domains', array( 'baR.com', 'Foo.co', 'barfoo.COM', 'BAZ.com', '*.fOo.org', 'foo.*.Gov' ) ); 918 920 919 foreach ( array( 'test@Bar.com', 'tEst@bar.com', 'test@barFoo.com', 'tEst@foo.bar.com', 'test@baz.Com' ) as $email_address ) {921 foreach ( array( 'test@Bar.com', 'tEst@bar.com', 'test@barFoo.com', 'tEst@foo.bar.com', 'test@baz.Com', 'test@bAR.foo.org', 'test@fOO.bar.gov' ) as $email_address ) { 920 922 $this->assertTrue( is_email_address_unsafe( $email_address ), "$email_address should be UNSAFE" ); 921 923 } 922 924 923 foreach ( array( 'test@Foobar.com', 'test@Foo-bar.com', 'tEst@foobar.com', 'test@Subdomain.Foo.com', 'test@fooBAz.com' ) as $email_address ) {925 foreach ( array( 'test@Foobar.com', 'test@Foo-bar.com', 'tEst@foobar.com', 'test@Subdomain.Foo.com', 'test@fooBAz.com', 'test@bar.bAZ.foo.org', 'test@foo.BAr.baz.gov' ) as $email_address ) { 924 926 $this->assertFalse( is_email_address_unsafe( $email_address ), "$email_address should be SAFE" ); 925 927 } 926 928 927 929 } 930 931 /** 932 * @ticket 15706 933 */ 934 function test_is_email_address_allowed() { 935 update_site_option( 'limited_email_domains', array( 'bar.com', 'foo.co', '*.foo.org', 'foo.*.gov' ) ); 936 937 foreach ( array( 'test@bar.com', 'test@foo.co', 'test@bar.foo.org', 'test@foo.bar.gov' ) as $email_address ) { 938 $this->assertTrue( is_email_address_allowed( $email_address ), "$email_address should be SAFE" ); 939 } 940 941 foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com', 'test@bar.baz.foo.org', 'test@foo.bar.baz.gov' ) as $email_address ) { 942 $this->assertFalse( is_email_address_allowed( $email_address ), "$email_address should be UNSAFE" ); 943 } 944 945 update_site_option( 'limited_email_domains', '' ); 946 947 foreach ( array( 'test@foobar.com', 'test@foo-bar.com', 'test@foo.com', 'test@subdomain.foo.com', 'test@bar.baz.foo.org', 'test@foo.bar.baz.gov' ) as $email_address ) { 948 $this->assertTrue( is_email_address_allowed( $email_address ), "$email_address should be SAFE" ); 949 } 950 } 951 928 952 /** 929 953 * @ticket 21552 930 954 * @ticket 23418