WordPress.org

Make WordPress Core

Ticket #17904: 17904.3.patch

File 17904.3.patch, 11.5 KB (added by imath, 5 years ago)
  • src/wp-admin/includes/user.php

    diff --git src/wp-admin/includes/user.php src/wp-admin/includes/user.php
    index bcf1362..e799a23 100644
    function add_user() { 
    2020/**
    2121 * Edit user settings based on contents of $_POST
    2222 *
    23  * Used on user-edit.php and profile.php to manage and process user options, passwords etc.
     23 * Used on user-edit.php, user-new.php, and profile.php to manage and process user options, passwords etc.
    2424 *
    2525 * @since 2.0.0
    2626 *
    function edit_user( $user_id = 0 ) { 
    3939                $update = false;
    4040        }
    4141
    42         if ( !$update && isset( $_POST['user_login'] ) )
    43                 $user->user_login = sanitize_user($_POST['user_login'], true);
    44 
    4542        $pass1 = $pass2 = '';
    4643        if ( isset( $_POST['pass1'] ) )
    4744                $pass1 = $_POST['pass1'];
    function edit_user( $user_id = 0 ) { 
    104101
    105102        $errors = new WP_Error();
    106103
    107         /* checking that username has been typed */
    108         if ( $user->user_login == '' )
    109                 $errors->add( 'user_login', __( '<strong>ERROR</strong>: Please enter a username.' ) );
     104        /* Validate the user_login when not updating the user */
     105        if ( ! $update ) {
     106                $user_login = '';
     107
     108                if ( isset( $_POST['user_login'] ) ) {
     109                        $user_login = $_POST['user_login'];
     110                }
     111
     112                $user->user_login = wp_validate_user_login( $user_login, $errors );
     113        }
    110114
    111115        /* checking the password has been typed twice */
    112116        /**
    function edit_user( $user_id = 0 ) { 
    143147        if ( !empty( $pass1 ) )
    144148                $user->user_pass = $pass1;
    145149
    146         if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) )
    147                 $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ));
    148 
    149         if ( !$update && username_exists( $user->user_login ) )
    150                 $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ));
    151 
    152150        /* checking e-mail address */
    153151        if ( empty( $user->user_email ) ) {
    154152                $errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please enter an e-mail address.' ), array( 'form-field' => 'email' ) );
  • src/wp-includes/ms-functions.php

    diff --git src/wp-includes/ms-functions.php src/wp-includes/ms-functions.php
    index f2df7e3..66288d0 100644
    function is_email_address_unsafe( $user_email ) { 
    450450 *
    451451 * @since MU
    452452 *
    453  * @param string $user_name The login name provided by the user.
     453 * @param string $user_login The login name provided by the user.
    454454 * @param string $user_email The email provided by the user.
    455455 * @return array Contains username, email, and error messages.
    456456 */
    457 function wpmu_validate_user_signup($user_name, $user_email) {
     457function wpmu_validate_user_signup( $user_login, $user_email ) {
    458458        global $wpdb;
    459459
    460460        $errors = new WP_Error();
     461        $orig_userlogin = $user_login;
    461462
    462         $orig_username = $user_name;
    463         $user_name = preg_replace( '/\s+/', '', sanitize_user( $user_name, true ) );
    464 
    465         if ( $user_name != $orig_username || preg_match( '/[^a-z0-9]/', $user_name ) ) {
    466                 $errors->add( 'user_name', __( 'Only lowercase letters (a-z) and numbers are allowed.' ) );
    467                 $user_name = $orig_username;
    468         }
     463        $user_login = wp_validate_user_login( $user_login, $errors );
    469464
    470465        $user_email = sanitize_email( $user_email );
    471466
    472         if ( empty( $user_name ) )
    473                 $errors->add('user_name', __( 'Please enter a username.' ) );
    474 
    475         $illegal_names = get_site_option( 'illegal_names' );
    476         if ( is_array( $illegal_names ) == false ) {
    477                 $illegal_names = array(  'www', 'web', 'root', 'admin', 'main', 'invite', 'administrator' );
    478                 add_site_option( 'illegal_names', $illegal_names );
    479         }
    480         if ( in_array( $user_name, $illegal_names ) == true )
    481                 $errors->add('user_name',  __( 'That username is not allowed.' ) );
    482 
    483         if ( is_email_address_unsafe( $user_email ) )
     467        if ( is_email_address_unsafe( $user_email ) ) {
    484468                $errors->add('user_email',  __('You cannot use that email address to signup. We are having problems with them blocking some of our email. Please use another email provider.'));
     469        }
    485470
    486         if ( strlen( $user_name ) < 4 )
    487                 $errors->add('user_name',  __( 'Username must be at least 4 characters.' ) );
    488 
    489         if ( strpos( ' ' . $user_name, '_' ) != false )
    490                 $errors->add( 'user_name', __( 'Sorry, usernames may not contain the character &#8220;_&#8221;!' ) );
    491 
    492         // all numeric?
    493         if ( preg_match( '/^[0-9]*$/', $user_name ) )
    494                 $errors->add('user_name', __('Sorry, usernames must have letters too!'));
    495 
    496         if ( !is_email( $user_email ) )
     471        if ( ! is_email( $user_email ) ) {
    497472                $errors->add('user_email', __( 'Please enter a valid email address.' ) );
     473        }
    498474
    499475        $limited_email_domains = get_site_option( 'limited_email_domains' );
    500476        if ( is_array( $limited_email_domains ) && empty( $limited_email_domains ) == false ) {
    function wpmu_validate_user_signup($user_name, $user_email) { 
    503479                        $errors->add('user_email', __('Sorry, that email address is not allowed!'));
    504480        }
    505481
    506         // Check if the username has been used already.
    507         if ( username_exists($user_name) )
    508                 $errors->add( 'user_name', __( 'Sorry, that username already exists!' ) );
    509 
    510482        // Check if the email address has been used already.
    511         if ( email_exists($user_email) )
     483        if ( email_exists( $user_email ) ) {
    512484                $errors->add( 'user_email', __( 'Sorry, that email address is already used!' ) );
     485        }
    513486
    514487        // Has someone already signed up for this username?
    515         $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_login = %s", $user_name) );
     488        $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_login = %s", $user_login ) );
    516489        if ( $signup != null ) {
    517490                $registered_at =  mysql2date('U', $signup->registered);
    518491                $now = current_time( 'timestamp', true );
    519492                $diff = $now - $registered_at;
    520493                // If registered more than two days ago, cancel registration and let this signup go through.
    521                 if ( $diff > 2 * DAY_IN_SECONDS )
    522                         $wpdb->delete( $wpdb->signups, array( 'user_login' => $user_name ) );
    523                 else
     494                if ( $diff > 2 * DAY_IN_SECONDS ) {
     495                        $wpdb->delete( $wpdb->signups, array( 'user_login' => $user_login ) );
     496                } else {
    524497                        $errors->add('user_name', __('That username is currently reserved but may be available in a couple of days.'));
     498                }
    525499        }
    526500
    527         $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_email = %s", $user_email) );
     501        $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_email = %s", $user_email ) );
    528502        if ( $signup != null ) {
    529503                $diff = current_time( 'timestamp', true ) - mysql2date('U', $signup->registered);
    530504                // If registered more than two days ago, cancel registration and let this signup go through.
    531                 if ( $diff > 2 * DAY_IN_SECONDS )
     505                if ( $diff > 2 * DAY_IN_SECONDS ) {
    532506                        $wpdb->delete( $wpdb->signups, array( 'user_email' => $user_email ) );
    533                 else
     507                } else {
    534508                        $errors->add('user_email', __('That email address has already been used. Please check your inbox for an activation email. It will become available in a couple of days if you do nothing.'));
     509                }
    535510        }
    536511
    537         $result = array('user_name' => $user_name, 'orig_username' => $orig_username, 'user_email' => $user_email, 'errors' => $errors);
     512        $result = array( 'user_name' => $user_login, 'orig_username' => $orig_userlogin, 'user_email' => $user_email, 'errors' => $errors );
    538513
    539514        /**
    540515         * Filter the validated user registration details.
  • src/wp-includes/user.php

    diff --git src/wp-includes/user.php src/wp-includes/user.php
    index 5f98b1e..4324740 100644
    function validate_username( $username ) { 
    16671667}
    16681668
    16691669/**
     1670 * Validate a provided user_login
     1671 *
     1672 * user_login requirements:
     1673 *     - minimum of 4 characters
     1674 *     - only contains (case-insensitive) characters: a-z 0-9 _ . - @
     1675 *     - no whitespace
     1676 *     - not on blacklist of illegal names
     1677 *     - contains at least one letter
     1678 *     - must be unique
     1679 *     - not pending signup already
     1680 *
     1681 * @since TBD
     1682 *
     1683 * @param string $user_login The user_login value to be be validated.
     1684 *
     1685 * @return array Contains user_login, original_user_login, and any generated errors
     1686 */
     1687function wp_validate_user_login( $user_login = '', $errors = null ) {
     1688        $original_user_login = $user_login;
     1689
     1690        if ( ! is_wp_error( $errors ) ) {
     1691                $errors = new WP_Error();
     1692        }
     1693
     1694        // User login cannot be empty
     1695        if ( empty( $user_login ) ) {
     1696                $errors->add( 'user_name', __( 'Please enter a username.' ) );
     1697        }
     1698
     1699        // User login must be at least 4 characters
     1700        if ( strlen( $user_login ) < 4 ) {
     1701                $errors->add( 'user_name',  __( 'Username must be at least 4 characters.' ) );
     1702        }
     1703
     1704        // Strip any whitespace and then match against case insensitive characters a-z 0-9 _ . - @
     1705        $user_login = preg_replace( '/\s+/', '', sanitize_user( $user_login, true ) );
     1706
     1707        // If the previous operation generated a different value, the username is invalid
     1708        if ( $user_login !== $original_user_login ) {
     1709                $errors->add( 'user_name', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ) );
     1710        }
     1711
     1712        // Check the user_login against an array of illegal names
     1713        $illegal_names = get_site_option( 'illegal_names' );
     1714        if ( false == is_array( $illegal_names ) ) {
     1715                $illegal_names = array(  'www', 'web', 'root', 'admin', 'main', 'invite', 'administrator' );
     1716                add_site_option( 'illegal_names', $illegal_names );
     1717        }
     1718
     1719        if ( true === in_array( $user_login, $illegal_names ) ) {
     1720                $errors->add( 'user_name',  __( 'That username is not allowed.' ) );
     1721        }
     1722
     1723        // User login must have at least one letter
     1724        if ( preg_match( '/^[0-9]*$/', $user_login ) ) {
     1725                $errors->add( 'user_name', __( 'Sorry, usernames must have letters too!' ) );
     1726        }
     1727
     1728        // Check if the username has been used already.
     1729        if ( username_exists( $user_login ) ) {
     1730                $errors->add( 'user_name', __( 'Sorry, that username already exists!' ) );
     1731        }
     1732
     1733        /**
     1734         * Filter a user's login after it has been validated for creation.
     1735         *
     1736         * @since TBD
     1737         *
     1738         * @param string   $user_login          The user's login.
     1739         * @param string   $original_user_login The original user login.
     1740         * @param WP_Error $errors              User's feedback error messages.
     1741         * }
     1742         */
     1743        return apply_filters_ref_array( 'wp_validate_user_login', array( $user_login, $original_user_login, &$errors ) );
     1744}
     1745
     1746/**
    16701747 * Insert an user into the database.
    16711748 *
    16721749 * Most of the $userdata array fields have filters associated with the values.
    function reset_password( $user, $new_pass ) { 
    22162293function register_new_user( $user_login, $user_email ) {
    22172294        $errors = new WP_Error();
    22182295
    2219         $sanitized_user_login = sanitize_user( $user_login );
    22202296        /**
    22212297         * Filter the email address of a user being registered.
    22222298         *
    function register_new_user( $user_login, $user_email ) { 
    22262302         */
    22272303        $user_email = apply_filters( 'user_registration_email', $user_email );
    22282304
    2229         // Check the username
    2230         if ( $sanitized_user_login == '' ) {
    2231                 $errors->add( 'empty_username', __( '<strong>ERROR</strong>: Please enter a username.' ) );
    2232         } elseif ( ! validate_username( $user_login ) ) {
    2233                 $errors->add( 'invalid_username', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ) );
    2234                 $sanitized_user_login = '';
    2235         } elseif ( username_exists( $sanitized_user_login ) ) {
    2236                 $errors->add( 'username_exists', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ) );
    2237         }
     2305        // Validate the username
     2306        $sanitized_user_login = wp_validate_user_login( $user_login, $errors );
    22382307
    22392308        // Check the e-mail address
    22402309        if ( $user_email == '' ) {