WordPress.org

Make WordPress Core

Ticket #17904: 17904.7.diff

File 17904.7.diff, 19.3 KB (added by FolioVision, 3 years ago)

Making sure the blank spaces in wp signup are not stripped

  • src/wp-admin/includes/user.php

     
    2020/**
    2121 * Edit user settings based on contents of $_POST
    2222 *
    23  * Used on user-edit.php and profile.php to manage and process user options, passwords etc.
     23 * Used on user-edit.php, user-new.php, and profile.php to manage and process user options, passwords etc.
    2424 *
    2525 * @since 2.0.0
    2626 *
     
    3939       $update = false;
    4040   }
    4141
    42    if ( !$update && isset( $_POST['user_login'] ) )
    43        $user->user_login = sanitize_user($_POST['user_login'], true);
    44 
    4542   $pass1 = $pass2 = '';
    4643   if ( isset( $_POST['pass1'] ) )
    4744       $pass1 = $_POST['pass1'];
     
    114111
    115112   $errors = new WP_Error();
    116113
    117    /* checking that username has been typed */
    118    if ( $user->user_login == '' )
    119        $errors->add( 'user_login', __( '<strong>ERROR</strong>: Please enter a username.' ) );
     114   /* Validate the user_login when not updating the user */
     115   if ( ! $update ) {
     116       $user->user_login = '';
    120117
     118       if ( isset( $_POST['user_login'] ) ) {
     119           $user->user_login = $_POST['user_login'];
     120       }
     121
     122       wp_validate_user_login( $user->user_login, $errors );
     123   }
     124
    121125   /* checking that nickname has been typed */
    122126   if ( $update && empty( $user->nickname ) ) {
    123127       $errors->add( 'nickname', __( '<strong>ERROR</strong>: Please enter a nickname.' ) );
     
    152156   if ( !empty( $pass1 ) )
    153157       $user->user_pass = $pass1;
    154158
    155    if ( !$update && isset( $_POST['user_login'] ) && !validate_username( $_POST['user_login'] ) )
    156        $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ));
    157 
    158    if ( !$update && username_exists( $user->user_login ) )
    159        $errors->add( 'user_login', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ));
    160 
    161159   /** This filter is documented in wp-includes/user.php */
    162160   $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() );
    163161
  • src/wp-includes/ms-default-filters.php

     
    3030add_action( 'network_site_new_created_user',   'wp_send_new_user_notifications' );
    3131add_action( 'network_site_users_created_user', 'wp_send_new_user_notifications' );
    3232add_action( 'network_user_new_created_user',   'wp_send_new_user_notifications' );
    33 add_filter( 'sanitize_user', 'strtolower' );
    3433
    3534// Blogs
    3635add_filter( 'wpmu_validate_blog_signup', 'signup_nonce_check' );
  • src/wp-includes/ms-functions.php

     
    403403 *
    404404 * @global wpdb $wpdb WordPress database abstraction object.
    405405 *
    406  * @param string $user_name The login name provided by the user.
     406 * @param string $user_login The login name provided by the user.
    407407 * @param string $user_email The email provided by the user.
    408408 * @return array Contains username, email, and error messages.
    409409 */
    410 function wpmu_validate_user_signup($user_name, $user_email) {
     410function wpmu_validate_user_signup( $user_login, $user_email ) {
    411411   global $wpdb;
    412412
    413413   $errors = new WP_Error();
     414   $orig_userlogin = $user_login;
     415   wp_validate_user_login( $user_login, $errors );
    414416
    415    $orig_username = $user_name;
    416    $user_name = preg_replace( '/\s+/', '', sanitize_user( $user_name, true ) );
    417 
    418    if ( $user_name != $orig_username || preg_match( '/[^a-z0-9]/', $user_name ) ) {
    419        $errors->add( 'user_name', __( 'Usernames can only contain lowercase letters (a-z) and numbers.' ) );
    420        $user_name = $orig_username;
    421    }
    422 
    423417   $user_email = sanitize_email( $user_email );
    424418
    425    if ( empty( $user_name ) )
    426        $errors->add('user_name', __( 'Please enter a username.' ) );
    427 
    428    $illegal_names = get_site_option( 'illegal_names' );
    429    if ( ! is_array( $illegal_names ) ) {
    430        $illegal_names = array(  'www', 'web', 'root', 'admin', 'main', 'invite', 'administrator' );
    431        add_site_option( 'illegal_names', $illegal_names );
    432    }
    433    if ( in_array( $user_name, $illegal_names ) ) {
    434        $errors->add( 'user_name',  __( 'Sorry, that username is not allowed.' ) );
    435    }
    436 
    437    /** This filter is documented in wp-includes/user.php */
    438    $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() );
    439 
    440    if ( in_array( strtolower( $user_name ), array_map( 'strtolower', $illegal_logins ) ) ) {
    441        $errors->add( 'user_name',  __( 'Sorry, that username is not allowed.' ) );
    442    }
    443 
    444419   if ( is_email_address_unsafe( $user_email ) )
    445420       $errors->add('user_email',  __('You cannot use that email address to signup. We are having problems with them blocking some of our email. Please use another email provider.'));
    446421
    447    if ( strlen( $user_name ) < 4 )
    448        $errors->add('user_name',  __( 'Username must be at least 4 characters.' ) );
    449 
    450    if ( strlen( $user_name ) > 60 ) {
    451        $errors->add( 'user_name', __( 'Username may not be longer than 60 characters.' ) );
    452    }
    453 
    454    // all numeric?
    455    if ( preg_match( '/^[0-9]*$/', $user_name ) )
    456        $errors->add('user_name', __('Sorry, usernames must have letters too!'));
    457 
    458422   if ( !is_email( $user_email ) )
    459423       $errors->add('user_email', __( 'Please enter a valid email address.' ) );
    460424
     
    466430       }
    467431   }
    468432
    469    // Check if the username has been used already.
    470    if ( username_exists($user_name) )
    471        $errors->add( 'user_name', __( 'Sorry, that username already exists!' ) );
    472 
    473433   // Check if the email address has been used already.
    474434   if ( email_exists($user_email) )
    475435       $errors->add( 'user_email', __( 'Sorry, that email address is already used!' ) );
    476436
    477    // Has someone already signed up for this username?
    478    $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_login = %s", $user_name) );
    479    if ( $signup != null ) {
    480        $registered_at =  mysql2date('U', $signup->registered);
    481        $now = current_time( 'timestamp', true );
    482        $diff = $now - $registered_at;
    483        // If registered more than two days ago, cancel registration and let this signup go through.
    484        if ( $diff > 2 * DAY_IN_SECONDS )
    485            $wpdb->delete( $wpdb->signups, array( 'user_login' => $user_name ) );
    486        else
    487            $errors->add('user_name', __('That username is currently reserved but may be available in a couple of days.'));
    488    }
    489 
    490437   $signup = $wpdb->get_row( $wpdb->prepare("SELECT * FROM $wpdb->signups WHERE user_email = %s", $user_email) );
    491438   if ( $signup != null ) {
    492439       $diff = current_time( 'timestamp', true ) - mysql2date('U', $signup->registered);
     
    497444           $errors->add('user_email', __('That email address has already been used. Please check your inbox for an activation email. It will become available in a couple of days if you do nothing.'));
    498445   }
    499446
    500    $result = array('user_name' => $user_name, 'orig_username' => $orig_username, 'user_email' => $user_email, 'errors' => $errors);
     447   $result = array( 'user_name' => $user_login, 'orig_username' => $orig_userlogin, 'user_email' => $user_email, 'errors' => $errors );
    501448
    502449   /**
    503450    * Filters the validated user registration details.
     
    717664   global $wpdb;
    718665
    719666   // Format data
    720    $user = preg_replace( '/\s+/', '', sanitize_user( $user, true ) );
     667   $user = preg_replace( '/\s\s+/', ' ', sanitize_user( $user, true ) );
    721668   $user_email = sanitize_email( $user_email );
    722669   $key = substr( md5( time() . rand() . $user_email ), 0, 16 );
    723670   $meta = serialize($meta);
     
    1047994 * @return int|false Returns false on failure, or int $user_id on success
    1048995 */
    1049996function wpmu_create_user( $user_name, $password, $email ) {
    1050    $user_name = preg_replace( '/\s+/', '', sanitize_user( $user_name, true ) );
     997   $user_name = preg_replace( '/\s\s+/', ' ', sanitize_user( $user_name, true ) );
    1051998
    1052999   $user_id = wp_create_user( $user_name, $password, $email );
    10531000   if ( is_wp_error( $user_id ) )
  • src/wp-includes/user.php

     
    22432243}
    22442244
    22452245/**
     2246 * Validate a provided user_login
     2247 *
     2248 * user_login requirements:
     2249 *     - minimum of 4 characters
     2250 *     - maximum of 60 characters
     2251 *     - only contains (case-insensitive) characters: a-z 0-9 _ . - @
     2252 *     - no whitespace
     2253 *     - not on blacklist of illegal names
     2254 *     - contains at least one letter
     2255 *     - must be unique
     2256 *     - not pending signup already
     2257 *
     2258 * @since TBD
     2259 *
     2260 * @param string $user_login The user_login value to be be validated.
     2261 *
     2262 * @return True|WP_Error True if the user login is valid, WP_Error otherwise.
     2263 */
     2264function wp_validate_user_login( $user_login = '', $errors = null ) {
     2265   global $wpdb;
     2266   $original_user_login = $user_login;
     2267
     2268   if ( ! is_wp_error( $errors ) ) {
     2269       $errors = new WP_Error();
     2270   }
     2271
     2272   // User login cannot be empty
     2273   if ( empty( $user_login ) ) {
     2274       $errors->add( 'user_name', __( 'Please enter a username.' ) );
     2275   }
     2276
     2277   // User login must be less than 60 characters
     2278   if ( strlen( $user_login ) > 60 ) {
     2279       $errors->add( 'user_name', __( 'Username may not be longer than 60 characters.' ) );
     2280   }
     2281
     2282   // Check if the login passes sanitize_user() which doesn't strip whitespace
     2283   $user_login = sanitize_user( $user_login, true );
     2284
     2285   // If the previous operation generated a different value, the username is invalid
     2286   if ( $user_login !== $original_user_login ) {
     2287       $errors->add( 'user_name', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ) );
     2288   }
     2289
     2290   if ( is_multisite() ) {
     2291       // Check the user_login against an array of illegal names
     2292       $illegal_logins = get_site_option( 'illegal_names' );
     2293       if ( false == is_array( $illegal_logins ) ) {
     2294           $illegal_logins = array( 'www', 'web', 'root', 'admin', 'main', 'invite', 'administrator' );
     2295           add_site_option( 'illegal_names', $illegal_logins );
     2296       }
     2297       if ( in_array( $user_login, $illegal_logins ) ) {
     2298           $errors->add( 'user_name',  __( 'Sorry, that username is not allowed.' ) );
     2299       }
     2300   }
     2301
     2302   /** This filter is documented in wp-includes/user.php */
     2303   $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() );
     2304
     2305   if ( in_array( strtolower( $user_login ), array_map( 'strtolower', $illegal_logins ) ) ) {
     2306       if ( is_multisite() ) {
     2307           $errors->add( 'user_name',  __( 'Sorry, that username is not allowed.' ) );
     2308       } else {
     2309           $errors->add( 'invalid_username',  __( 'Sorry, that username is not allowed.' ) );
     2310       }
     2311   }
     2312
     2313   if ( is_multisite() ) {
     2314       // User login must have at least one letter
     2315       if ( ! preg_match( '/[a-zA-Z]+/', $user_login ) ) {
     2316           $errors->add( 'user_name', __( 'Sorry, usernames must have letters too!' ) );
     2317       }
     2318   }
     2319
     2320   // Check if the username has been used already.
     2321   if ( username_exists( $user_login ) ) {
     2322       $errors->add( 'user_name', __( 'Sorry, that username already exists!' ) );
     2323   }
     2324
     2325   if ( is_multisite() ) {
     2326       // Has someone already signed up for this username?
     2327       $signup = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->signups WHERE user_login = %s", $user_login ) );
     2328       if ( $signup != null ) {
     2329           $registered_at =  mysql2date( 'U', $signup->registered );
     2330           $now = current_time( 'timestamp', true );
     2331           $diff = $now - $registered_at;
     2332           // If registered more than two days ago, cancel registration and let this signup go through.
     2333           if ( $diff > 2 * DAY_IN_SECONDS )
     2334               $wpdb->delete( $wpdb->signups, array( 'user_login' => $user_login ) );
     2335           else
     2336               $errors->add( 'user_name', __( 'That username is currently reserved but may be available in a couple of days.' ) );
     2337       }
     2338   }
     2339
     2340   /**
     2341    * Filter whether the provided user_login is valid or not.
     2342    *
     2343    * @since 2.0.1
     2344    *
     2345    * @param bool   $valid      Whether given user_login is valid.
     2346    * @param string $user_login user_login to check.
     2347    */
     2348   $valid = apply_filters( 'validate_username', true, $user_login );
     2349   if ( ! $valid ) {
     2350       $errors->add( 'user_name', __( 'Sorry, that username is invalid.' ) );
     2351   }
     2352
     2353   /**
     2354    * Validate a user_login. A user_login can be invalidated by adding an error
     2355    * to the WP_Error.
     2356    *
     2357    * @since TBD
     2358    *
     2359    * @param  WP_Error $errors
     2360    * @param  string   $user_login The user_login to validate.
     2361    */
     2362   do_action( 'wp_validate_user_login', $errors, $user_login );
     2363
     2364   if ( $errors->errors ) {
     2365       return $errors;
     2366   } else {
     2367       return true;
     2368   }
     2369}
     2370
     2371/**
    22462372 * Handles registering a new user.
    22472373 *
    22482374 * @since 2.5.0
     
    22542380function register_new_user( $user_login, $user_email ) {
    22552381   $errors = new WP_Error();
    22562382
    2257    $sanitized_user_login = sanitize_user( $user_login );
    22582383   /**
    22592384    * Filters the email address of a user being registered.
    22602385    *
     
    22642389    */
    22652390   $user_email = apply_filters( 'user_registration_email', $user_email );
    22662391
    2267    // Check the username
    2268    if ( $sanitized_user_login == '' ) {
    2269        $errors->add( 'empty_username', __( '<strong>ERROR</strong>: Please enter a username.' ) );
    2270    } elseif ( ! validate_username( $user_login ) ) {
    2271        $errors->add( 'invalid_username', __( '<strong>ERROR</strong>: This username is invalid because it uses illegal characters. Please enter a valid username.' ) );
    2272        $sanitized_user_login = '';
    2273    } elseif ( username_exists( $sanitized_user_login ) ) {
    2274        $errors->add( 'username_exists', __( '<strong>ERROR</strong>: This username is already registered. Please choose another one.' ) );
     2392   // Validate the username
     2393   wp_validate_user_login( $user_login, $errors );
    22752394
    2276    } else {
    2277        /** This filter is documented in wp-includes/user.php */
    2278        $illegal_user_logins = array_map( 'strtolower', (array) apply_filters( 'illegal_user_logins', array() ) );
    2279        if ( in_array( strtolower( $sanitized_user_login ), $illegal_user_logins ) ) {
    2280            $errors->add( 'invalid_username', __( '<strong>ERROR</strong>: Sorry, that username is not allowed.' ) );
    2281        }
    2282    }
    2283 
    22842395   // Check the email address
    22852396   if ( $user_email == '' ) {
    22862397       $errors->add( 'empty_email', __( '<strong>ERROR</strong>: Please type your email address.' ) );
     
    22962407    *
    22972408    * @since 2.1.0
    22982409    *
    2299     * @param string   $sanitized_user_login The submitted username after being sanitized.
    2300     * @param string   $user_email           The submitted email.
    2301     * @param WP_Error $errors               Contains any errors with submitted username and email,
    2302     *                                       e.g., an empty field, an invalid username or email,
    2303     *                                       or an existing username or email.
     2410    * @param string   $user_login The submitted username after being sanitized.
     2411    * @param string   $user_email The submitted email.
     2412    * @param WP_Error $errors     Contains any errors with submitted username and email,
     2413    *                             e.g., an empty field, an invalid username or email,
     2414    *                             or an existing username or email.
    23042415    */
    2305    do_action( 'register_post', $sanitized_user_login, $user_email, $errors );
     2416   do_action( 'register_post', $user_login, $user_email, $errors );
    23062417
    23072418   /**
    23082419    * Filters the errors encountered when a new user is being registered.
     
    23152426    *
    23162427    * @since 2.1.0
    23172428    *
    2318     * @param WP_Error $errors               A WP_Error object containing any errors encountered
    2319     *                                       during registration.
    2320     * @param string   $sanitized_user_login User's username after it has been sanitized.
    2321     * @param string   $user_email           User's email.
     2429    * @param WP_Error $errors     A WP_Error object containing any errors encountered
     2430    *                             during registration.
     2431    * @param string   $user_login User's username.
     2432    * @param string   $user_email User's email.
    23222433    */
    2323    $errors = apply_filters( 'registration_errors', $errors, $sanitized_user_login, $user_email );
     2434   $errors = apply_filters( 'registration_errors', $errors, $user_login, $user_email );
    23242435
    23252436   if ( $errors->get_error_code() )
    23262437       return $errors;
    23272438
    23282439   $user_pass = wp_generate_password( 12, false );
    2329    $user_id = wp_create_user( $sanitized_user_login, $user_pass, $user_email );
     2440   $user_id = wp_create_user( $user_login, $user_pass, $user_email );
    23302441   if ( ! $user_id || is_wp_error( $user_id ) ) {
    23312442       $errors->add( 'registerfail', sprintf( __( '<strong>ERROR</strong>: Couldn&#8217;t register you&hellip; please contact the <a href="mailto:%s">webmaster</a> !' ), get_option( 'admin_email' ) ) );
    23322443       return $errors;
  • wp-signup.php

     
    659659   $errors = $filtered_results['errors'];
    660660
    661661   if ( empty($blogname) )
    662        $blogname = $user_name;
     662       $blogname = preg_replace( '|[ _.\-@]|i', '', strtolower($user_name) );
    663663   ?>
    664664   <form id="setupform" method="post" action="wp-signup.php">
    665665       <input type="hidden" name="stage" value="validate-blog-signup" />
  • tests/phpunit/tests/multisite/wpmuValidateUserSignup.php

     
    99   /**
    1010    * @dataProvider data_user_name
    1111    */
    12    public function test_user_name( $user_name, $error_message ) {
    13        $v = wpmu_validate_user_signup( $user_name, 'foo@example.com' );
     12   public function test_user_name( $user_login, $error_message ) {
     13       $v = wpmu_validate_user_signup( $user_login, 'foo@example.com' );
    1414       $this->assertContains( 'user_name', $v['errors']->get_error_codes(), $error_message );
    1515   }
    1616
     
    1818       return array(
    1919           array( 'contains spaces', 'User names with spaces are not allowed.' ),
    2020           array( 'ContainsCaps', 'User names with capital letters are not allowed.'  ),
    21            array( 'contains_underscores', 'User names with underscores are not allowed.'  ),
    2221           array( 'contains%^*()junk', 'User names with non-alphanumeric characters are not allowed.'  ),
    2322           array( '', 'Empty user names are not allowed.'  ),
    24            array( 'foo', 'User names of 3 characters are not allowed.'  ),
    25            array( 'fo', 'User names of 2 characters are not allowed.'  ),
    26            array( 'f', 'User names of 1 characters are not allowed.'  ),
    27            array( 'f', 'User names of 1 characters are not allowed.'  ),
    2823           array( '12345', 'User names consisting only of numbers are not allowed.'  ),
    2924           array( 'thisusernamecontainsenoughcharacterstobelongerthan60characters', 'User names longer than 60 characters are not allowed.' ),
    3025       );