WordPress.org

Make WordPress Core

Opened 2 weeks ago

Last modified 39 hours ago

#52976 new defect (bug)

user emails comparison should be case insensitive

Reported by: asaifm Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.3
Component: Users Keywords: good-first-bug has-patch
Focuses: Cc:

Description (last modified by sabernhardt)

In user.php for WordPress 5.7, email update comparisons are case sensitive. Is there a specific reason for this? Because emails are case insensitive. Here is the line that does that:

if ( isset( $userdata['user_email'] ) && $user['user_email'] !== $userdata['user_email'] )


Can the function:

strcasecmp

be used instead? The problem is that there is a plugin that uses the function:

wp_update_user

And it would send a notification for email change even if it was the casing of the characters only.

Thanks for your time and consideration

Attachments (1)

52976.diff (6.6 KB) - added by paaggeli 39 hours ago.
case-insensitive email comparison using strcasecmp() function

Download all attachments as: .zip

Change History (7)

#1 follow-up: @dd32
2 weeks ago

  • Component changed from General to Users

Hi @asaifm and welcome to Trac!

Updating this to use lower-case comparisons (Just throw it through strtolower() IMHO) seems reasonable, however.. a plugin altering the user email address to lower case does seem unexpected and potentially a bigger bug than this is.

Just as a note, user@example.com and USER@example.com could technically be different users, as the email standard delegates that to the mail servers, however in reality no mail servers that I'm aware of have case sensitive handling..

#2 in reply to: ↑ 1 @asaifm
2 weeks ago

Hello @dd32,

Thanks for your response. The plugin that uses wp_update_user does not alter the casing. It simply passes the email address to it and does not perform any checks on the similarity of the old and new addresses.

Ok, I have seen your note in https://tools.ietf.org/html/rfc5321 now. I am not sure how to take this further, so feel free to close the ticket if you prefer to stick to the RFC.

Last edited 2 weeks ago by asaifm (previous) (diff)

#3 @sabernhardt
2 weeks ago

  • Description modified (diff)
  • Version changed from 5.7 to 4.3

Related: #32158

strcasecmp was used for the wp_insert_user function (but not wp_update_user)

#4 @dd32
2 weeks ago

  • Keywords needs-patch good-first-bug added

Just noting the locations I could find that use != for email comparisons:

wp-includes/user.php:		if ( $user_email !== $old_user_data->user_email || $user_pass !== $old_user_data->user_pass ) {
wp-includes/user.php:	if ( isset( $userdata['user_email'] ) && $user['user_email'] !== $userdata['user_email'] ) {

wp-admin/user-edit.php:		if ( $new_email && $new_email['newemail'] != $current_user->user_email && $profileuser->ID == $current_user->ID ) :

wp-admin/index.php:	$hide = ( 0 === $option || ( 2 === $option && wp_get_current_user()->user_email !== get_option( 'admin_email' ) ) );

wp-admin/includes/class-wp-screen.php:				if ( 2 === $welcome_checked && wp_get_current_user()->user_email !== get_option( 'admin_email' ) ) {

wp-admin/options-general.php:if ( $new_admin_email && get_option( 'admin_email' ) !== $new_admin_email ) :

And for completeness, those which use strcasecmp():

wp-includes/capabilities.php:	if ( $user && 0 !== strcasecmp( $user->user_email, get_site_option( 'admin_email' ) ) ) {
wp-includes/pluggable.php:			if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) ) {
wp-includes/pluggable.php:		if ( 0 !== strcasecmp( $user->user_email, get_option( 'admin_email' ) ) ) {
wp-includes/user.php:	if ( ( ! $update || ( ! empty( $old_user_data ) && 0 !== strcasecmp( $user_email, $old_user_data->user_email ) ) )
wp-admin/user-edit.php:			<?php if ( 0 !== strcasecmp( $profileuser->user_email, get_site_option( 'admin_email' ) ) || ! is_super_admin( $profileuser->ID ) ) : ?>

#5 @paaggeli
13 days ago

Hi, I found some other locations that use !== and === for emails comparisons.

wp-admin\includes\class-wp-automatic-updater.php: 
if ( $notified && get_site_option( 'admin_email' ) === $notified['email'] && $notified['version'] == $item->current ) {

wp-admin\includes\class-wp-automatic-updater.php: 
if ( $n && 'fail' === $n['type'] && get_site_option( 'admin_email' ) === $n['email'] && $n['version'] == $core_update->current ) {

wp-admin\includes\misc.php:
if ( get_option( 'admin_email' ) === $value || ! is_email( $value ) ) {

wp-admin\network\settings.php:
if ( $new_admin_email && get_site_option( 'admin_email' ) !== $new_admin_email ) :

wp-includes\ms-functions.php:
if ( get_site_option( 'admin_email' ) === $value || ! is_email( $value ) ) {

Because I'm new to contributing to WordPress, should I create a patch that uses strcasecmp() for email comparisons, or should I wait until it's clear that we need case insensitive email comparison?

@paaggeli
39 hours ago

case-insensitive email comparison using strcasecmp() function

#6 @paaggeli
39 hours ago

  • Keywords has-patch added; needs-patch removed
Note: See TracTickets for help on using tickets.