WordPress.org

Make WordPress Core

Opened 22 months ago

Closed 20 months ago

Last modified 14 months ago

#43148 closed defect (bug) (fixed)

Email domain whitelist checks should be case-insensitive

Reported by: greatislander Owned by: jeremyfelt
Milestone: 5.1 Priority: normal
Severity: normal Version: 4.9.2
Component: Networks and Sites Keywords: has-patch has-unit-tests
Focuses: multisite Cc:
PR Number:

Description

Within wpmu_validate_user_signup(), the user email domain is compared to an array of whitelisted email domains using in_array(). While these lines in is_email_address_unsafe() normalize the user email domain and array of banned email domains by making both lowercase before comparing, this code in wpmu_validate_user_signup() does not normalize case before comparing. This can lead to unexpected behaviour, as in_array() compares strings in a case-sensitive manner.

Given an email domain whitelist as follows…

$limited_email_domains = [ 'wordpress.org' ];

… a user who attempts to register with capital_P_dangit@WordPress.org will receive the following error:

Sorry, that email address is not allowed!

Domain names should be evaluated in a case-insensitive manner in this context.

Attachments (2)

43148.diff (868 bytes) - added by greatislander 22 months ago.
Patch from https://github.com/WordPress/WordPress/pull/337
43148.1.diff (1.8 KB) - added by greatislander 22 months ago.
Add test, add true parameter to in_array()

Download all attachments as: .zip

Change History (12)

#1 @greatislander
22 months ago

  • Summary changed from Email domain whitelists checks should be case-insensitive to Email domain whitelist checks should be case-insensitive

This ticket was mentioned in Slack in #core-multisite by greatislander. View the logs.


22 months ago

@greatislander
22 months ago

Add test, add true parameter to in_array()

This ticket was mentioned in Slack in #core-multisite by greatislander. View the logs.


22 months ago

#4 @greatislander
22 months ago

  • Keywords has-patch has-unit-tests added

This ticket was mentioned in Slack in #core-multisite by greatislander. View the logs.


21 months ago

#6 @mnelson4
21 months ago

These changes seem very straightforward and @greatislander provided good support for why the domains should be compared in a case-insensitive way.

#7 @SergeyBiryukov
21 months ago

  • Milestone changed from Awaiting Review to 5.0

#8 @jeremyfelt
20 months ago

  • Owner set to jeremyfelt
  • Status changed from new to reviewing

#9 @jeremyfelt
20 months ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

In 42858:

Multisite: Use case-insensitive check on email domain whitelist.

Props greatislander.
Fixes #43148.

#10 @flixos90
14 months ago

  • Milestone changed from 5.0 to 5.1
Note: See TracTickets for help on using tickets.