[wp-trac] [WordPress Trac] #44683: Export and Erase personal data - emails sent to wrong address if username is an email address which is different from the actual email address

WordPress Trac noreply at wordpress.org
Tue Jul 31 13:28:29 UTC 2018 

#44683: Export and Erase personal data - emails sent to wrong address if username
is an email address which is different from the actual email address
------------------------------+------------------------------
 Reporter:  subrataemfluence  |      Owner:  (none)
     Type:  enhancement       |     Status:  new
 Priority:  normal            |  Milestone:  Awaiting Review
Component:  Gallery           |    Version:  trunk
 Severity:  normal            |   Keywords:  2nd-opinion GDPR
  Focuses:                    |
------------------------------+------------------------------
 This issue might had been already discussed in another ticket but I was
 unable to find it.

 When a user has set his username to an email address (may not be a valid
 one), then WordPress will  be forced to send the verification request to
 wrong one.

 Here is an example:

 Username: `fake at bbbb.com`

 For the above, the following code block won't execute:


 {{{
 if ( ! is_email( $username_or_email_address ) ) {
  ...
 }
 }}}


 but this line will be executed:

 {{{
 $email_address = $username_or_email_address;
 }}}


 Which means email is now supposed to be sent at `fake at bbbb.com`.

 I would suggest even a username looks to have a valid email address
 pattern like above, rather than directly assign it against
 `$email_address` variable, we might take an extra step to find the real
 email address attached to this account before sending the request.

 Here is a suggestion:

 {{{#!php
 <?php
 if ( ! is_email( $username_or_email_address ) ) {
    ...
 } else {
    $user = get_user_by( 'login', $username_or_email_address );
    if ( $user instanceof WP_User ) {
       $email_address = $user->user_email;
    } else {
       $email_address = $username_or_email_address;
    }
 }

 }}}

 Please let me know if this makes any sense!

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/44683>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list