WordPress.org

Make WordPress Core

Opened 6 years ago

Last modified 6 days ago

#24487 new defect (bug)

is_email() does not recognize IDN domains

Reported by: OlegCorner Owned by:
Milestone: Future Release Priority: normal
Severity: minor Version: 3.5.1
Component: Formatting Keywords: has-patch is-email
Focuses: Cc:

Description (last modified by SergeyBiryukov)

Insufficient validation of the domain name in function is_email of wp-includes/formatting.php.
WordPress 3.5.1 > , including trunk.
Test for invalid characters does not test Unicode symbols in international domain, such as Cyrillic domains and other Unicode domains.

Attachments (2)

24487_3.5.1.patch (364 bytes) - added by OlegCorner 6 years ago.
24487_trunk.patch (497 bytes) - added by OlegCorner 6 years ago.

Download all attachments as: .zip

Change History (9)

#1 @SergeyBiryukov
6 years ago

  • Description modified (diff)
  • Summary changed from Insufficient validation of the domain name in wp-includes/formatting.php to is_email() does not recognize IDN domains

Related: #17491

#2 @nacin
6 years ago

  • Milestone changed from Awaiting Review to Future Release

Hi OlegCorner. We had quite a bit of "fun" with \P{L}, as it is possible to compile PCRE without Unicode support. See #22692. Not sure what to do here, though it does seem to be possible to check for this support with a separate check, then allow IDN domains through if so. Or, there might be another way to check for this.

#3 @miqrogroove
4 years ago

  • Keywords is-email added

#4 @mitjajez
4 years ago

Can't find how to make a patch here, but i belive we need do add idn_to_ascii function php > 5.4.0

$domain = idn_to_ascii($domain);

on line #2422 in wp-includes/formatting.php

and later

$email = implode( '@', array($local, $domain));

on line #2446 in wp-includes/formatting.php

#5 @rmccue
3 years ago

It's worth mentioning that WordPress now includes an IDN parser inside Requests: Requests_IDNAEncoder. We could convert IDN domains to their ASCII representation, and if that fails, the domain is invalid. If it succeeds, it can then go through the regular email checks.

#6 @birgire
14 months ago

#44616 was marked as a duplicate.

This ticket was mentioned in Slack in #core by ocean90. View the logs.


6 days ago

Note: See TracTickets for help on using tickets.