WordPress.org

Make WordPress Core

Changeset 22461


Ignore:
Timestamp:
11/08/12 01:06:17 (18 months ago)
Author:
nacin
Message:

Fix the matching in is_email_address_unsafe(), which was too aggressive.

We should only check to see if the user's email address has the same
domain as or is a subdomain of any banned email domain.

Add a filter.

props mdawaffe.
fixes #21570.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/ms-functions.php

    r22430 r22461  
    376376function is_email_address_unsafe( $user_email ) { 
    377377    $banned_names = get_site_option( 'banned_email_domains' ); 
    378     if ($banned_names && !is_array( $banned_names )) 
    379         $banned_names = explode( "\n", $banned_names); 
    380  
    381     if ( is_array( $banned_names ) && empty( $banned_names ) == false ) { 
    382         $email_domain = strtolower( substr( $user_email, 1 + strpos( $user_email, '@' ) ) ); 
    383         foreach ( (array) $banned_names as $banned_domain ) { 
    384             if ( $banned_domain == '' ) 
     378    if ( $banned_names && ! is_array( $banned_names ) ) 
     379        $banned_names = explode( "\n", $banned_names ); 
     380 
     381    $is_email_address_unsafe = false; 
     382 
     383    if ( $banned_names && is_array( $banned_names ) ) { 
     384        list( $email_local_part, $email_domain ) = explode( '@', $user_email ); 
     385 
     386        foreach ( $banned_names as $banned_domain ) { 
     387            if ( ! $banned_domain ) 
    385388                continue; 
    386             if ( 
    387                 strstr( $email_domain, $banned_domain ) || 
    388                 ( 
    389                     strstr( $banned_domain, '/' ) && 
    390                     preg_match( $banned_domain, $email_domain ) 
    391                 ) 
    392             ) 
    393             return true; 
     389 
     390            if ( $email_domain == $banned_domain ) { 
     391                $is_email_address_unsafe = true; 
     392                break; 
     393            } 
     394 
     395            $dotted_domain = ".$banned_domain"; 
     396            if ( $dotted_domain === substr( $user_email, -strlen( $dotted_domain ) ) ) { 
     397                $is_email_address_unsafe = true; 
     398                break; 
     399            } 
    394400        } 
    395401    } 
    396     return false; 
     402 
     403    return apply_filters( 'is_email_address_unsafe', $is_email_address_unsafe, $user_email ); 
    397404} 
    398405 
Note: See TracChangeset for help on using the changeset viewer.