id summary reporter owner description type status priority milestone component version severity resolution keywords cc focuses 43148 Email domain whitelist checks should be case-insensitive greatislander jeremyfelt "Within `wpmu_validate_user_signup()`, the user email domain is compared to an array of whitelisted email domains using `in_array()`. While [https://core.trac.wordpress.org/browser/trunk/src/wp-includes/ms-functions.php#L390 these lines] in `is_email_address_unsafe()` normalize the user email domain and array of banned email domains by making both lowercase before comparing, [https://core.trac.wordpress.org/browser/trunk/src/wp-includes/ms-functions.php#L501 this code] in `wpmu_validate_user_signup()` does not normalize case before comparing. This can lead to unexpected behaviour, as `in_array()` compares strings in a [https://secure.php.net/manual/en/function.in-array.php case-sensitive manner]. Given an email domain whitelist as follows… {{{ $limited_email_domains = [ 'wordpress.org' ]; }}} … a user who attempts to register with `capital_P_dangit@WordPress.org` will receive the following error: Sorry, that email address is not allowed! Domain names should be evaluated in a [https://tools.ietf.org/html/rfc4343#section-2 case-insensitive manner] in this context. " defect (bug) closed normal 5.1 Networks and Sites 4.9.2 normal fixed has-patch has-unit-tests multisite