From 1b873c8a19cd242bbdb0158ad57de41bb5282d5f Mon Sep 17 00:00:00 2001 From: Adam Silverstein Date: Fri, 17 Feb 2023 08:10:22 +0000 Subject: [PATCH] Login and Registration: prevent registering with username that matches previous user email. When registering a new user, check that no existing user has an email matching the username. Prevents a login name collision when one user registers with the email address user@test.com and a second user tries to register with the username user@test.com. Props buutqn, dunhakdis, roytanck, ajayver. Fixes #57394. Built from https://develop.svn.wordpress.org/trunk@55358 git-svn-id: http://core.svn.wordpress.org/trunk@54891 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/user.php | 9 ++++++++- wp-includes/version.php | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/wp-includes/user.php b/wp-includes/user.php index 867df81e16..e0cfae9188 100644 --- a/wp-includes/user.php +++ b/wp-includes/user.php @@ -2123,10 +2123,16 @@ function wp_insert_user( $userdata ) { return new WP_Error( 'user_login_too_long', __( 'Username may not be longer than 60 characters.' ) ); } + // Username must be unique. if ( ! $update && username_exists( $user_login ) ) { return new WP_Error( 'existing_user_login', __( 'Sorry, that username already exists!' ) ); } + // Username must not match an existing user email. + if ( email_exists( $user_login ) ) { + return new WP_Error( 'existing_user_login_as_email', __( 'Sorry, that username is not available.' ) ); + } + /** * Filters the list of disallowed usernames. * @@ -3340,7 +3346,8 @@ function register_new_user( $user_login, $user_email ) { $sanitized_user_login = ''; } elseif ( username_exists( $sanitized_user_login ) ) { $errors->add( 'username_exists', __( 'Error: This username is already registered. Please choose another one.' ) ); - + } elseif ( email_exists( $sanitized_user_login ) ) { + $errors->add( 'username_exists_as_email', __( 'Error: This username is not available. Please choose another one.' ) ); } else { /** This filter is documented in wp-includes/user.php */ $illegal_user_logins = (array) apply_filters( 'illegal_user_logins', array() ); diff --git a/wp-includes/version.php b/wp-includes/version.php index c172abf486..1ce6ce4707 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -16,7 +16,7 @@ * * @global string $wp_version */ -$wp_version = '6.2-beta2-55356'; +$wp_version = '6.2-beta2-55358'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.