WordPress.org

Make WordPress Core

Changeset 40595


Ignore:
Timestamp:
05/09/17 16:54:52 (8 months ago)
Author:
jeremyfelt
Message:

Multisite: Check only valid looking emails against banned domain list.

If an email address is missing an @, we can't assume enough to check it against a list of domain names.

Additional validation of email should happen in is_email() before being passed to is_email_address_unsafe().

Fixes #39915.

Location:
trunk
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/src/wp-includes/ms-functions.php

    r40594 r40595  
    355355    $is_email_address_unsafe = false; 
    356356 
    357     if ( $banned_names && is_array( $banned_names ) ) { 
     357    if ( $banned_names && is_array( $banned_names ) && false !== strpos( $user_email, '@', 1 ) ) { 
    358358        $banned_names = array_map( 'strtolower', $banned_names ); 
    359359        $normalized_email = strtolower( $user_email ); 
  • trunk/tests/phpunit/tests/multisite/isEmailAddressUnsafe.php

    r32646 r40595  
    121121        ); 
    122122    } 
     123 
     124    public function test_email_with_only_top_level_domain_returns_safe() { 
     125        update_site_option( 'banned_email_domains', 'bar.com' ); 
     126        $safe = is_email_address_unsafe( 'email@localhost' ); 
     127        delete_site_option( 'banned_email_domains' ); 
     128 
     129        $this->assertFalse( $safe ); 
     130    } 
     131 
     132    public function test_invalid_email_without_domain_returns_safe() { 
     133        update_site_option( 'banned_email_domains', 'bar.com' ); 
     134        $safe = is_email_address_unsafe( 'invalid-email' ); 
     135        delete_site_option( 'bar.com' ); 
     136 
     137        $this->assertFalse( $safe ); 
     138    } 
    123139} 
    124140 
Note: See TracChangeset for help on using the changeset viewer.