[wp-trac] [WordPress Trac] #15706: Allow wildcarded domains in multisite limited email domains
WordPress Trac
wp-trac at lists.automattic.com
Mon Dec 6 20:56:09 UTC 2010
#15706: Allow wildcarded domains in multisite limited email domains
-------------------------+--------------------------------------------------
Reporter: djcp | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Future Release
Component: Multisite | Version:
Severity: normal | Keywords: has-patch
-------------------------+--------------------------------------------------
Changes (by djcp):
* keywords: needs-patch => has-patch
Comment:
So if a limited domain begins with "*.", we nick off those characters and
check it against the right side of the user's email domain. If a limited
domain doesn't begin with "*.", we just check it normally while iterating
through the limited domains.
This should be fully backwards compatible, we've just expanded out the
in_array to inspect each limited_domain value, making those prefixed with
"*." match their subdomains.
So here at Harvard, our allowed domain list looks like:
harvard.edu[[BR]]
hbs.edu[[BR]]
radcliffe.edu[[BR]]
*.harvard.edu[[BR]]
*.hbs.edu[[BR]]
*.radcliffe.edu[[BR]]
It's important that we keep wildcarding to subdomains and not actual
domain names. Otherwise, if ibm.com was using this feature with a wildcard
thusly:
*ibm.com
I could register "notibm.com" and exploit their multisite install. Since
we require wildcarding on the subdomain level ("*.ibm.com"), that's not
possible.
I suppose you could do something stupid like enter "*.com" and allow
anyone with a .com address to register in your multisite install, but
c'mon. You can't fix stupid.
I also added the "*" to the limited_email_domain regex in wp-
admin/network/edit.php.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/15706#comment:2>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list