WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 3 months ago

#17433 new defect (bug)

localhost is not accepted as email domain

Reported by: sanvila Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version: 3.2
Component: Formatting Keywords: has-patch needs-unit-tests
Focuses: Cc:

Description

Hi. Tried to install WordPress on a Debian machine not connected to Internet, only for testing purposes, so when the setup procedure asked me for an email address, I used mylogin@localhost. The setup procedure, however, rejected this as "invalid".

I think the bug is exactly in wp-includes/formatting.php, where it says:

Assume the domain will have at least two subs
if ( 2 > count( $subs ) ) {

return apply_filters( 'is_email', false, $email, 'domain_no_periods' );

}

So: Could you please special-case "localhost" in is_email() so that it's allowed as email domain?

I guess the probability of someone using @localhost for email "by mistake" is extremely low, so this change will unlikely harm the average user.

Thanks.

Attachments (2)

17433.diff (3.2 KB) - added by kurtpayne 3 years ago.
17433-2.diff (4.8 KB) - added by kurtpayne 3 years ago.
Use filter_var to validate / sanitize e-mail addresses

Download all attachments as: .zip

Change History (11)

comment:1 sivel3 years ago

  • Keywords reporter-feedback close added

Why not just use email@localhost.localdomain ? That should work without issue.

Last edited 3 years ago by sivel (previous) (diff)

comment:2 sanvila3 years ago

There are several reasons:

a) localhost is shorter and I expected it to work.

b) My MTA is usually not configured to accept mail for localhost.localdomain. I have never had a need for that in 15 years.

What's the problem with supporting localhost since it's correct?

BTW: The default value for DB_HOST in wp-config-sample.php is localhost. It would be somewhat contradictory that localhost is not even accepted for email!

comment:3 toscho3 years ago

  • Cc info@… added

PHP 5.2 is now a requirement, so we should use the filter functions which allow me@localhost. See the plugin Extend Email Checks for an example.

Last edited 3 years ago by toscho (previous) (diff)

comment:4 SergeyBiryukov3 years ago

  • Keywords needs-patch added; reporter-feedback close removed

comment:5 follow-up: kurtpayne3 years ago

  • Cc kurtpayne added
  • Keywords has-patch added; needs-patch removed

This patch will allow dotless e-mail domains as long as the server can resolve the domain via a DNS lookup. It should allow "localhost" and other development domains, but prevent "fakedomain" (unless fakedomain resolves on your network).

If DNS times out on an invalid dotless domain, there may be a delay of up to 2 seconds. This should be encountered rarely, but, due to the stacking of sanitize_email() and is_email() may be encountered twice in a row.

Thoughts about this approach?

kurtpayne3 years ago

comment:6 in reply to: ↑ 5 westi3 years ago

Replying to kurtpayne:

This patch will allow dotless e-mail domains as long as the server can resolve the domain via a DNS lookup. It should allow "localhost" and other development domains, but prevent "fakedomain" (unless fakedomain resolves on your network).

If DNS times out on an invalid dotless domain, there may be a delay of up to 2 seconds. This should be encountered rarely, but, due to the stacking of sanitize_email() and is_email() may be encountered twice in a row.

Thoughts about this approach?

We don't want to add dns lookups to every call to is_email as it could slow down a site unnecessary and lead to other issues.

In general we should probably consider moving all of our validation filtering like this to use the filter_var stuff in PHP 5.2 now it is available to us.

kurtpayne3 years ago

Use filter_var to validate / sanitize e-mail addresses

comment:7 kurtpayne3 years ago

@westi I was ready to disagree and defend "user@localhost" as a valid address, but I dug into this a bit more and found this post on stackoverflow.com which changed my mind. The php developers who wrote the e-mail filter don't allow short domains because only FQDNs are allowed in SMTP servers according to RFC 5321.

Submitting patch 17433-2.diff to switch to email code to filter_var() as you and @toscho suggested.

comment:8 pauldewouters14 months ago

  • Cc pauldewouters@… added

comment:9 nacin3 months ago

  • Keywords needs-unit-tests added
  • Milestone changed from Awaiting Review to Future Release

Switching to filter_var() is a major design decision. We can move faster than PHP versions; filter_var() has had a lot of bugs over the years that don't get fixed until later versions of PHP if at all; etc. We need to study this carefully. And, yes, OMG it needs unit tests, and lots of them. The worst thing that we could do moving to filter_var() is regressing in other areas, as unlikely it may be here.

Simply whitelisting 'localhost' seems like a good in-the-meantime solution.

Note: See TracTickets for help on using tickets.