sergiotarxz/Wordpress
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Multisite: Check only valid looking emails against banned domain list.

Browse Source 
If an email address is missing an `@`, we can't assume enough to check it against a list of domain names.

Additional validation of email should happen in `is_email()` before being passed to `is_email_address_unsafe()`.

Fixes #39915.


git-svn-id: https://develop.svn.wordpress.org/trunk@40595 602fd350-edb4-49c9-b593-d223f7449a82
This commit is contained in:
Jeremy Felt 2017-05-09 16:54:52 +00:00
parent 3e9c46812c
commit 0dd638a2e7
2 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/wp-includes/ms-functions.php
View File

@ -354,7 +354,7 @@ function is_email_address_unsafe( $user_email ) {
$is_email_address_unsafe = false;
if ( $banned_names && is_array( $banned_names ) ) {
if ( $banned_names && is_array( $banned_names ) && false !== strpos( $user_email, '@', 1 ) ) {
$banned_names = array_map( 'strtolower', $banned_names );
$normalized_email = strtolower( $user_email );

16
tests/phpunit/tests/multisite/isEmailAddressUnsafe.php
View File

@ -120,6 +120,22 @@ class Tests_Multisite_IsEmailAddressUnsafe extends WP_UnitTestCase {
),
);
}
public function test_email_with_only_top_level_domain_returns_safe() {
update_site_option( 'banned_email_domains', 'bar.com' );
$safe = is_email_address_unsafe( 'email@localhost' );
delete_site_option( 'banned_email_domains' );
$this->assertFalse( $safe );
}
public function test_invalid_email_without_domain_returns_safe() {
update_site_option( 'banned_email_domains', 'bar.com' );
$safe = is_email_address_unsafe( 'invalid-email' );
delete_site_option( 'bar.com' );
$this->assertFalse( $safe );
}
}
endif;