[wp-trac] [WordPress Trac] #43148: Email domain whitelists checks should be case-insensitive
WordPress Trac
noreply at wordpress.org
Tue Jan 23 15:52:46 UTC 2018
#43148: Email domain whitelists checks should be case-insensitive
--------------------------------+-----------------------------
Reporter: greatislander | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Networks and Sites | Version: 4.9.2
Severity: normal | Keywords:
Focuses: multisite |
--------------------------------+-----------------------------
Within `wpmu_validate_user_signup()`, the user email domain is compared to
an array of whitelisted email domains using `in_array()`. While
[https://core.trac.wordpress.org/browser/trunk/src/wp-includes/ms-
functions.php#L390 these lines] in `is_email_address_unsafe()` normalize
the user email domain and array of banned email domains by making both
lowercase before comparing,
[https://core.trac.wordpress.org/browser/trunk/src/wp-includes/ms-
functions.php#L501 this code] in `wpmu_validate_user_signup()` does not
normalize case before comparing. This can lead to unexpected behaviour, as
`in_array()` compares strings in a
[https://secure.php.net/manual/en/function.in-array.php case-sensitive
manner].
Given an email domain whitelist as follows…
{{{
$limited_email_domains = [ 'wordpress.org' ];
}}}
… a user who attempts to register with `capital_P_dangit at WordPress.org`
will receive the following error:
Sorry, that email address is not allowed!
Domain names should be evaluated in a
[https://tools.ietf.org/html/rfc4343#section-2 case-insensitive manner] in
this context.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43148>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list