WordPress.org

Make WordPress Core

Ticket #17904: 17904.4.patch

File 17904.4.patch, 13.5 KB (added by imath, 4 years ago)
  • src/wp-admin/includes/user.php

    diff --git src/wp-admin/includes/user.php src/wp-admin/includes/user.php
    index 8304314..d023239 100644
    function add_user() { 
    2020/**
    2121 * Edit user settings based on contents of $_POST
    2222 *
    23  * Used on user-edit.php and profile.php to manage and process user options, passwords etc.
     23 * Used on user-edit.php, user-new.php, and profile.php to manage and process user options, passwords etc.
    2424 *
    2525 * @since 2.0.0
    2626 *
    function edit_user( $user_id = 0 ) { 
    3939                $update = false;
    4040        }
    4141
    42         if ( !$update && isset( $_POST['user_login'] ) )
    43                 $user->user_login = sanitize_user($_POST['user_login'], true);
    44 
    4542        $pass1 = $pass2 = '';
    4643        if ( isset( $_POST['pass1'] ) )
    4744                $pass1 = $_POST['pass1'];
    function edit_user( $user_id = 0 ) { 
    104101
    105102        $errors = new WP_Error();
    106103
    107         /* checking that username has been typed */
    108         if ( $user->user_login == '' )
    109                 $errors->add( 'user_login', __( '<strong>ERROR</strong>: Please enter a username.' ) );
     104        /* Validate the user_login when not updating the user */
     105        if ( ! $update ) {
     106                $user_login = '';
     107
     108                if ( isset( $_POST['user_login'] ) ) {
     109                        $user_login = $_POST['user_login'];
     110                }
     111
     112                $user->user_login = wp_validate_user_login( $user_login, $errors );
     113        }
    110114
    111115        /* checking the password has been typed twice */
    112116        /**
    function edit_user( $user_id = 0 ) { 
    143147        if ( !empty( $pass1 ) )
    144148                $user->user_pass = $pass1;
    145149
    146         if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) )
    147                 $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ));
    148 
    149         if ( !$update && username_exists( $user->user_login ) )
    150                 $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ));
    151 
    152150        /* checking e-mail address */
    153151        if ( empty( $user->user_email ) ) {
    154152                $errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please enter an e-mail address.' ), array( 'form-field' => 'email' ) );
  • src/wp-includes/ms-functions.php

    diff --git src/wp-includes/ms-functions.php src/wp-includes/ms-functions.php
    index 487d840..55580e1 100644
    function is_email_address_unsafe( $user_email ) { 
    458458 *
    459459 * @global wpdb $wpdb
    460460 *
    461  * @param string $user_name The login name provided by the user.
     461 * @param string $user_login The login name provided by the user.
    462462 * @param string $user_email The email provided by the user.
    463463 * @return array Contains username, email, and error messages.
    464464 */
    465 function wpmu_validate_user_signup($user_name, $user_email) {
     465function wpmu_validate_user_signup( $user_login, $user_email ) {
    466466        global $wpdb;
    467467
    468468        $errors = new WP_Error();
     469        $orig_userlogin = $user_login;
    469470
    470         $orig_username = $user_name;
    471         $user_name = preg_replace( '/\s+/', '', sanitize_user( $user_name, true ) );
    472 
    473         if ( $user_name != $orig_username || preg_match( '/[^a-z0-9]/', $user_name ) ) {
    474                 $errors->add( 'user_name', __( 'Only lowercase letters (a-z) and numbers are allowed.' ) );
    475                 $user_name = $orig_username;
    476         }
     471        $user_login = wp_validate_user_login( $user_login, $errors );
    477472
    478473        $user_email = sanitize_email( $user_email );
    479474
    480         if ( empty( $user_name ) )
    481                 $errors->add('user_name', __( 'Please enter a username.' ) );
    482 
    483         $illegal_names = get_site_option( 'illegal_names' );
    484         if ( ! is_array( $illegal_names ) ) {
    485                 $illegal_names = array(  'www', 'web', 'root', 'admin', 'main', 'invite', 'administrator' );
    486                 add_site_option( 'illegal_names', $illegal_names );
    487         }
    488         if ( in_array( $user_name, $illegal_names ) )
    489                 $errors->add('user_name',  __( 'That username is not allowed.' ) );
    490 
    491         if ( is_email_address_unsafe( $user_email ) )
     475        if ( is_email_address_unsafe( $user_email ) ) {
    492476                $errors->add('user_email',  __('You cannot use that email address to signup. We are having problems with them blocking some of our email. Please use another email provider.'));
    493 
    494         if ( strlen( $user_name ) < 4 )
    495                 $errors->add('user_name',  __( 'Username must be at least 4 characters.' ) );
    496 
    497         if ( strlen( $user_name ) > 60 ) {
    498                 $errors->add( 'user_name', __( 'Username may not be longer than 60 characters.' ) );
    499477        }
    500478
    501         if ( strpos( $user_name, '_' ) !== false )
    502                 $errors->add( 'user_name', __( 'Sorry, usernames may not contain the character &#8220;_&#8221;!' ) );
    503 
    504         // all numeric?
    505         if ( preg_match( '/^[0-9]*$/', $user_name ) )
    506                 $errors->add('user_name', __('Sorry, usernames must have letters too!'));
    507 
    508         if ( !is_email( $user_email ) )
     479        if ( ! is_email( $user_email ) ) {
    509480                $errors->add('user_email', __( 'Please enter a valid email address.' ) );
     481        }
    510482
    511483        $limited_email_domains = get_site_option( 'limited_email_domains' );
    512484        if ( is_array( $limited_email_domains ) && ! empty( $limited_email_domains ) ) {
    function wpmu_validate_user_signup($user_name, $user_email) { 
    516488                }
    517489        }
    518490
    519         // Check if the username has been used already.
    520         if ( username_exists($user_name) )
    521                 $errors->add( 'user_name', __( 'Sorry, that username already exists!' ) );
    522 
    523491        // Check if the email address has been used already.
    524         if ( email_exists($user_email) )
     492        if ( email_exists( $user_email ) ) {
    525493                $errors->add( 'user_email', __( 'Sorry, that email address is already used!' ) );
     494        }
    526495
    527496        // Has someone already signed up for this username?
    528         $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_login = %s", $user_name) );
     497        $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_login = %s", $user_login ) );
    529498        if ( $signup != null ) {
    530499                $registered_at =  mysql2date('U', $signup->registered);
    531500                $now = current_time( 'timestamp', true );
    532501                $diff = $now - $registered_at;
    533502                // If registered more than two days ago, cancel registration and let this signup go through.
    534                 if ( $diff > 2 * DAY_IN_SECONDS )
    535                         $wpdb->delete( $wpdb->signups, array( 'user_login' => $user_name ) );
    536                 else
     503                if ( $diff > 2 * DAY_IN_SECONDS ) {
     504                        $wpdb->delete( $wpdb->signups, array( 'user_login' => $user_login ) );
     505                } else {
    537506                        $errors->add('user_name', __('That username is currently reserved but may be available in a couple of days.'));
     507                }
    538508        }
    539509
    540         $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_email = %s", $user_email) );
     510        $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_email = %s", $user_email ) );
    541511        if ( $signup != null ) {
    542512                $diff = current_time( 'timestamp', true ) - mysql2date('U', $signup->registered);
    543513                // If registered more than two days ago, cancel registration and let this signup go through.
    544                 if ( $diff > 2 * DAY_IN_SECONDS )
     514                if ( $diff > 2 * DAY_IN_SECONDS ) {
    545515                        $wpdb->delete( $wpdb->signups, array( 'user_email' => $user_email ) );
    546                 else
     516                } else {
    547517                        $errors->add('user_email', __('That email address has already been used. Please check your inbox for an activation email. It will become available in a couple of days if you do nothing.'));
     518                }
    548519        }
    549520
    550         $result = array('user_name' => $user_name, 'orig_username' => $orig_username, 'user_email' => $user_email, 'errors' => $errors);
     521        $result = array( 'user_name' => $user_login, 'orig_username' => $orig_userlogin, 'user_email' => $user_email, 'errors' => $errors );
    551522
    552523        /**
    553524         * Filter the validated user registration details.
  • src/wp-includes/user.php

    diff --git src/wp-includes/user.php src/wp-includes/user.php
    index 1c8a5b3..916e075 100644
    function validate_username( $username ) { 
    18031803}
    18041804
    18051805/**
     1806 * Validate a provided user_login
     1807 *
     1808 * user_login requirements:
     1809 *     - minimum of 4 characters
     1810 *     - maximum of 60 characters
     1811 *     - only contains (case-insensitive) characters: a-z 0-9 _ . - @
     1812 *     - no whitespace
     1813 *     - not on blacklist of illegal names
     1814 *     - contains at least one letter
     1815 *     - must be unique
     1816 *     - not pending signup already
     1817 *
     1818 * @since TBD
     1819 *
     1820 * @param string $user_login The user_login value to be be validated.
     1821 *
     1822 * @return array Contains user_login, original_user_login, and any generated errors
     1823 */
     1824function wp_validate_user_login( $user_login = '', $errors = null ) {
     1825        $original_user_login = $user_login;
     1826
     1827        if ( ! is_wp_error( $errors ) ) {
     1828                $errors = new WP_Error();
     1829        }
     1830
     1831        // User login cannot be empty
     1832        if ( empty( $user_login ) ) {
     1833                $errors->add( 'user_name', __( 'Please enter a username.' ) );
     1834        }
     1835
     1836        // User login must be at least 4 characters
     1837        if ( strlen( $user_login ) < 4 ) {
     1838                $errors->add( 'user_name',  __( 'Username must be at least 4 characters.' ) );
     1839        }
     1840
     1841        // User login must be less than 60 characters
     1842        if ( strlen( $user_login ) > 60 ) {
     1843                $errors->add( 'user_name', __( 'Username may not be longer than 60 characters.' ) );
     1844        }
     1845
     1846        // Strip any whitespace and then match against case insensitive characters a-z 0-9 _ . - @
     1847        $user_login = preg_replace( '/\s+/', '', sanitize_user( $user_login, true ) );
     1848
     1849        // If the previous operation generated a different value, the username is invalid
     1850        if ( $user_login !== $original_user_login ) {
     1851                $errors->add( 'user_name', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ) );
     1852        }
     1853
     1854        // Check the user_login against an array of illegal names
     1855        $illegal_names = get_site_option( 'illegal_names' );
     1856        if ( false == is_array( $illegal_names ) ) {
     1857                $illegal_names = array(  'www', 'web', 'root', 'admin', 'main', 'invite', 'administrator' );
     1858                add_site_option( 'illegal_names', $illegal_names );
     1859        }
     1860
     1861        if ( true === in_array( $user_login, $illegal_names ) ) {
     1862                $errors->add( 'user_name',  __( 'That username is not allowed.' ) );
     1863        }
     1864
     1865        // User login must have at least one letter
     1866        if ( preg_match( '/^[0-9]*$/', $user_login ) ) {
     1867                $errors->add( 'user_name', __( 'Sorry, usernames must have letters too!' ) );
     1868        }
     1869
     1870        // Check if the username has been used already.
     1871        if ( username_exists( $user_login ) ) {
     1872                $errors->add( 'user_name', __( 'Sorry, that username already exists!' ) );
     1873        }
     1874
     1875        /**
     1876         * Filter a user's login after it has been validated for creation.
     1877         *
     1878         * @since TBD
     1879         *
     1880         * @param string   $user_login          The user's login.
     1881         * @param string   $original_user_login The original user login.
     1882         * @param WP_Error $errors              User's feedback error messages.
     1883         * }
     1884         */
     1885        return apply_filters_ref_array( 'wp_validate_user_login', array( $user_login, $original_user_login, &$errors ) );
     1886}
     1887
     1888/**
    18061889 * Insert a user into the database.
    18071890 *
    18081891 * Most of the `$userdata` array fields have filters associated with the values. Exceptions are
    function reset_password( $user, $new_pass ) { 
    25422625function register_new_user( $user_login, $user_email ) {
    25432626        $errors = new WP_Error();
    25442627
    2545         $sanitized_user_login = sanitize_user( $user_login );
    25462628        /**
    25472629         * Filter the email address of a user being registered.
    25482630         *
    function register_new_user( $user_login, $user_email ) { 
    25522634         */
    25532635        $user_email = apply_filters( 'user_registration_email', $user_email );
    25542636
    2555         // Check the username
    2556         if ( $sanitized_user_login == '' ) {
    2557                 $errors->add( 'empty_username', __( '<strong>ERROR</strong>: Please enter a username.' ) );
    2558         } elseif ( ! validate_username( $user_login ) ) {
    2559                 $errors->add( 'invalid_username', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ) );
    2560                 $sanitized_user_login = '';
    2561         } elseif ( username_exists( $sanitized_user_login ) ) {
    2562                 $errors->add( 'username_exists', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ) );
    2563         }
     2637        // Validate the username
     2638        $sanitized_user_login = wp_validate_user_login( $user_login, $errors );
    25642639
    25652640        // Check the e-mail address
    25662641        if ( $user_email == '' ) {
  • src/wp-signup.php

    diff --git src/wp-signup.php src/wp-signup.php
    index 3373f8e..72d7393 100644
    do_action( 'before_signup_form' ); 
    8989 */
    9090function show_blog_form( $blogname = '', $blog_title = '', $errors = '' ) {
    9191        $current_site = get_current_site();
     92
    9293        // Blog name
     94        $blogname = preg_replace( '|[_.\-@]|i', '', $blogname );
     95
    9396        if ( !is_subdomain_install() )
    9497                echo '<label for="blogname">' . __('Site Name:') . '</label>';
    9598        else
  • tests/phpunit/tests/multisite/wpmuValidateUserSignup.php

    diff --git tests/phpunit/tests/multisite/wpmuValidateUserSignup.php tests/phpunit/tests/multisite/wpmuValidateUserSignup.php
    index a368288..c69ec97 100644
    class Tests_Multisite_WpmuValidateUserSignup extends WP_UnitTestCase { 
    99        /**
    1010         * @dataProvider data_user_name
    1111         */
    12         public function test_user_name( $user_name, $error_message ) {
    13                 $v = wpmu_validate_user_signup( $user_name, 'foo@example.com' );
     12        public function test_user_name( $user_login, $error_message ) {
     13                $v = wpmu_validate_user_signup( $user_login, 'foo@example.com' );
    1414                $this->assertContains( 'user_name', $v['errors']->get_error_codes(), $error_message );
    1515        }
    1616
    class Tests_Multisite_WpmuValidateUserSignup extends WP_UnitTestCase { 
    1818                return array(
    1919                        array( 'contains spaces', 'User names with spaces are not allowed.' ),
    2020                        array( 'ContainsCaps', 'User names with capital letters are not allowed.'  ),
    21                         array( 'contains_underscores', 'User names with underscores are not allowed.'  ),
    2221                        array( 'contains%^*()junk', 'User names with non-alphanumeric characters are not allowed.'  ),
    2322                        array( '', 'Empty user names are not allowed.'  ),
    2423                        array( 'foo', 'User names of 3 characters are not allowed.'  ),