WordPress.org

Make WordPress Core

Changeset 22461


Ignore:
Timestamp:
11/08/2012 01:06:17 AM (6 years ago)
Author:
nacin
Message:

Fix the matching in is_email_address_unsafe(), which was too aggressive.

We should only check to see if the user's email address has the same
domain as or is a subdomain of any banned email domain.

Add a filter.

props mdawaffe.
fixes #21570.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/ms-functions.php

    r22430 r22461  
    376376function is_email_address_unsafe( $user_email ) {
    377377    $banned_names = get_site_option( 'banned_email_domains' );
    378     if ($banned_names && !is_array( $banned_names ))
    379         $banned_names = explode( "\n", $banned_names);
    380 
    381     if ( is_array( $banned_names ) && empty( $banned_names ) == false ) {
    382         $email_domain = strtolower( substr( $user_email, 1 + strpos( $user_email, '@' ) ) );
    383         foreach ( (array) $banned_names as $banned_domain ) {
    384             if ( $banned_domain == '' )
     378    if ( $banned_names && ! is_array( $banned_names ) )
     379        $banned_names = explode( "\n", $banned_names );
     380
     381    $is_email_address_unsafe = false;
     382
     383    if ( $banned_names && is_array( $banned_names ) ) {
     384        list( $email_local_part, $email_domain ) = explode( '@', $user_email );
     385
     386        foreach ( $banned_names as $banned_domain ) {
     387            if ( ! $banned_domain )
    385388                continue;
    386             if (
    387                 strstr( $email_domain, $banned_domain ) ||
    388                 (
    389                     strstr( $banned_domain, '/' ) &&
    390                     preg_match( $banned_domain, $email_domain )
    391                 )
    392             )
    393             return true;
     389
     390            if ( $email_domain == $banned_domain ) {
     391                $is_email_address_unsafe = true;
     392                break;
     393            }
     394
     395            $dotted_domain = ".$banned_domain";
     396            if ( $dotted_domain === substr( $user_email, -strlen( $dotted_domain ) ) ) {
     397                $is_email_address_unsafe = true;
     398                break;
     399            }
    394400        }
    395401    }
    396     return false;
     402
     403    return apply_filters( 'is_email_address_unsafe', $is_email_address_unsafe, $user_email );
    397404}
    398405
Note: See TracChangeset for help on using the changeset viewer.