WordPress.org

Make WordPress Core

Changeset 40595


Ignore:
Timestamp:
05/09/2017 04:54:52 PM (2 years ago)
Author:
jeremyfelt
Message:

Multisite: Check only valid looking emails against banned domain list.

If an email address is missing an @, we can't assume enough to check it against a list of domain names.

Additional validation of email should happen in is_email() before being passed to is_email_address_unsafe().

Fixes #39915.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/ms-functions.php

    r40594 r40595  
    355355    $is_email_address_unsafe = false;
    356356
    357     if ( $banned_names && is_array( $banned_names ) ) {
     357    if ( $banned_names && is_array( $banned_names ) && false !== strpos( $user_email, '@', 1 ) ) {
    358358        $banned_names = array_map( 'strtolower', $banned_names );
    359359        $normalized_email = strtolower( $user_email );
  • trunk/tests/phpunit/tests/multisite/isEmailAddressUnsafe.php

    r32646 r40595  
    121121        );
    122122    }
     123
     124    public function test_email_with_only_top_level_domain_returns_safe() {
     125        update_site_option( 'banned_email_domains', 'bar.com' );
     126        $safe = is_email_address_unsafe( 'email@localhost' );
     127        delete_site_option( 'banned_email_domains' );
     128
     129        $this->assertFalse( $safe );
     130    }
     131
     132    public function test_invalid_email_without_domain_returns_safe() {
     133        update_site_option( 'banned_email_domains', 'bar.com' );
     134        $safe = is_email_address_unsafe( 'invalid-email' );
     135        delete_site_option( 'bar.com' );
     136
     137        $this->assertFalse( $safe );
     138    }
    123139}
    124140
Note: See TracChangeset for help on using the changeset viewer.