Making WordPress.org

Changeset 10941


Ignore:
Timestamp:
04/30/2021 08:44:23 AM (3 years ago)
Author:
dd32
Message:

Login: Only allow one signup at a time by "inbox", that is, ignoring plus addressing.

This is mostly to combat spammers using myemail+sldkjasldf@… to create multiple accounts.
This does not prevent plus addressing being used.
This does not prevent multiple accounts using plus addressing from existing, only that only a single account via plus addressing can be created per 2 weeks.

Location:
sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-registration.php

    r10928 r10941  
    213213
    214214    return $pending_user;
     215}
     216
     217/**
     218 * Fetches a pending user record from the database by "inbox", ignoring plus addressing.
     219 */
     220function wporg_get_pending_user_by_email_wildcard( $email ) {
     221    global $wpdb;
     222
     223    $email_wildcard = preg_replace( '/[+][^@]+@/i', '+%@', $wpdb->esc_like( $email ) );  // abc+def@ghi => abc+%@ghi
     224    $email_base     = preg_replace( '/[+][^@]+@/i', '@', $email ); // abc+def@ghi => abc@ghi
     225
     226    $matching_email = $wpdb->get_var( $sql = $wpdb->prepare(
     227        "SELECT `user_email` FROM `{$wpdb->base_prefix}user_pending_registrations` WHERE ( `user_email` = %s OR `user_email` LIKE %s ) LIMIT 1",
     228        $email_base,
     229        $email_wildcard
     230    ) );
     231
     232    if ( $matching_email ) {
     233        return wporg_get_pending_user( $matching_email );
     234    }
     235
     236    return false;
    215237}
    216238
  • sites/trunk/wordpress.org/public_html/wp-content/themes/pub/wporg-login/functions-restapi.php

    r10928 r10941  
    8585
    8686    // Check we don't have a pending registration for that email.
    87     if ( $pending = wporg_get_pending_user( $email ) ) {
     87    $pending = wporg_get_pending_user( $email );
     88
     89    // And that there's no pending account signups for other emails for that inbox.
     90    if ( ! $pending && false !== strpos( $email, '+' ) ) {
     91        $pending = wporg_get_pending_user_by_email_wildcard( $email );
     92    }
     93
     94    if ( $pending ) {
    8895        return [
    8996            'available' => false,
Note: See TracChangeset for help on using the changeset viewer.