From e79bddcb024e937b6f23e074a1742e73f35a359d Mon Sep 17 00:00:00 2001
From: Gary Pendergast <pento@git.wordpress.org>
Date: Wed, 16 Jan 2019 04:26:48 +0000
Subject: [PATCH] Users: Add extra checking to `wp_new_user_notification()`.

Prevent a notification from being sent when an unrecognised value is passed in the `$notify` parameter.

Props cthreelabs, 360zen.
Fixes #44293.



git-svn-id: https://develop.svn.wordpress.org/trunk@44611 602fd350-edb4-49c9-b593-d223f7449a82
---
 src/wp-includes/pluggable.php | 5 +++++
 tests/phpunit/tests/user.php  | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/src/wp-includes/pluggable.php b/src/wp-includes/pluggable.php
index 46e11055ea..0e9d4ad2f0 100644
--- a/src/wp-includes/pluggable.php
+++ b/src/wp-includes/pluggable.php
@@ -1894,6 +1894,11 @@ if ( ! function_exists( 'wp_new_user_notification' ) ) :
 			_deprecated_argument( __FUNCTION__, '4.3.1' );
 		}
 
+		// Accepts only 'user', 'admin' , 'both' or default '' as $notify
+		if ( ! in_array( $notify, array( 'user', 'admin', 'both', '' ), true ) ) {
+			return;
+		}
+
 		global $wpdb, $wp_hasher;
 		$user = get_userdata( $user_id );
 
diff --git a/tests/phpunit/tests/user.php b/tests/phpunit/tests/user.php
index c6b4d8b7e9..b15aa6060d 100644
--- a/tests/phpunit/tests/user.php
+++ b/tests/phpunit/tests/user.php
@@ -1169,6 +1169,11 @@ class Tests_User extends WP_UnitTestCase {
 				true,
 				true,
 			),
+			array(
+				'THIS IS NOT A SUPPORTED NOTIFICATION TYPE',
+				false,
+				false,
+			),
 		);
 	}