From 0dd638a2e72b6142b32e753daa5494cd95a16bed Mon Sep 17 00:00:00 2001
From: Jeremy Felt <jeremyfelt@git.wordpress.org>
Date: Tue, 9 May 2017 16:54:52 +0000
Subject: [PATCH] Multisite: Check only valid looking emails against banned
 domain list.

If an email address is missing an `@`, we can't assume enough to check it against a list of domain names.

Additional validation of email should happen in `is_email()` before being passed to `is_email_address_unsafe()`.

Fixes #39915.


git-svn-id: https://develop.svn.wordpress.org/trunk@40595 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/ms-functions.php                 |  2 +-
 .../tests/multisite/isEmailAddressUnsafe.php     | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/wp-includes/ms-functions.php b/src/wp-includes/ms-functions.php
index c81210042b..16cb294359 100644
--- a/src/wp-includes/ms-functions.php
+++ b/src/wp-includes/ms-functions.php
@@ -354,7 +354,7 @@ function is_email_address_unsafe( $user_email ) {
 
 	$is_email_address_unsafe = false;
 
-	if ( $banned_names && is_array( $banned_names ) ) {
+	if ( $banned_names && is_array( $banned_names ) && false !== strpos( $user_email, '@', 1 ) ) {
 		$banned_names = array_map( 'strtolower', $banned_names );
 		$normalized_email = strtolower( $user_email );
 
diff --git a/tests/phpunit/tests/multisite/isEmailAddressUnsafe.php b/tests/phpunit/tests/multisite/isEmailAddressUnsafe.php
index 93bc24bda5..65377610fb 100644
--- a/tests/phpunit/tests/multisite/isEmailAddressUnsafe.php
+++ b/tests/phpunit/tests/multisite/isEmailAddressUnsafe.php
@@ -120,6 +120,22 @@ class Tests_Multisite_IsEmailAddressUnsafe extends WP_UnitTestCase {
 			),
 		);
 	}
+
+	public function test_email_with_only_top_level_domain_returns_safe() {
+		update_site_option( 'banned_email_domains', 'bar.com' );
+		$safe = is_email_address_unsafe( 'email@localhost' );
+		delete_site_option( 'banned_email_domains' );
+
+		$this->assertFalse( $safe );
+	}
+
+	public function test_invalid_email_without_domain_returns_safe() {
+		update_site_option( 'banned_email_domains', 'bar.com' );
+		$safe = is_email_address_unsafe( 'invalid-email' );
+		delete_site_option( 'bar.com' );
+
+		$this->assertFalse( $safe );
+	}
 }
 
 endif;