update phpmailer (again)
This commit is contained in:
Andrew Dolgov
parent
d518096b83
commit
832aa24943
2 changed files with 51 additions and 9 deletions
|
|
@ -31,7 +31,7 @@ class PHPMailer
|
||||||
* The PHPMailer Version number.
|
* The PHPMailer Version number.
|
||||||
* @var string
|
* @var string
|
||||||
*/
|
*/
|
||||||
public $Version = '5.2.19';
|
public $Version = '5.2.20';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Email priority.
|
* Email priority.
|
||||||
|
|
@ -1364,19 +1364,24 @@ class PHPMailer
|
||||||
*/
|
*/
|
||||||
protected function sendmailSend($header, $body)
|
protected function sendmailSend($header, $body)
|
||||||
{
|
{
|
||||||
if (!empty($this->Sender)) {
|
// CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
|
||||||
|
if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
|
||||||
if ($this->Mailer == 'qmail') {
|
if ($this->Mailer == 'qmail') {
|
||||||
$sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
|
$sendmailFmt = '%s -f%s';
|
||||||
} else {
|
} else {
|
||||||
$sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
|
$sendmailFmt = '%s -oi -f%s -t';
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
if ($this->Mailer == 'qmail') {
|
if ($this->Mailer == 'qmail') {
|
||||||
$sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
|
$sendmailFmt = '%s';
|
||||||
} else {
|
} else {
|
||||||
$sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));
|
$sendmailFmt = '%s -oi -t';
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// TODO: If possible, this should be changed to escapeshellarg. Needs thorough testing.
|
||||||
|
$sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
|
||||||
|
|
||||||
if ($this->SingleTo) {
|
if ($this->SingleTo) {
|
||||||
foreach ($this->SingleToArray as $toAddr) {
|
foreach ($this->SingleToArray as $toAddr) {
|
||||||
if (!@$mail = popen($sendmail, 'w')) {
|
if (!@$mail = popen($sendmail, 'w')) {
|
||||||
|
|
@ -1422,6 +1427,40 @@ class PHPMailer
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
|
||||||
|
*
|
||||||
|
* Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
|
||||||
|
* @param string $string The string to be validated
|
||||||
|
* @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
|
||||||
|
* @access protected
|
||||||
|
* @return boolean
|
||||||
|
*/
|
||||||
|
protected static function isShellSafe($string)
|
||||||
|
{
|
||||||
|
// Future-proof
|
||||||
|
if (escapeshellcmd($string) !== $string
|
||||||
|
or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))
|
||||||
|
) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
$length = strlen($string);
|
||||||
|
|
||||||
|
for ($i = 0; $i < $length; $i++) {
|
||||||
|
$c = $string[$i];
|
||||||
|
|
||||||
|
// All other characters have a special meaning in at least one common shell, including = and +.
|
||||||
|
// Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
|
||||||
|
// Note that this does permit non-Latin alphanumeric characters based on the current locale.
|
||||||
|
if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Send mail using the PHP mail() function.
|
* Send mail using the PHP mail() function.
|
||||||
* @param string $header The message headers
|
* @param string $header The message headers
|
||||||
|
|
@ -1442,7 +1481,10 @@ class PHPMailer
|
||||||
$params = null;
|
$params = null;
|
||||||
//This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
|
//This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
|
||||||
if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
|
if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
|
||||||
$params = sprintf('-f%s', escapeshellarg($this->Sender));
|
// CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
|
||||||
|
if (self::isShellSafe($this->Sender)) {
|
||||||
|
$params = sprintf('-f%s', $this->Sender);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
|
if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
|
||||||
$old_from = ini_get('sendmail_from');
|
$old_from = ini_get('sendmail_from');
|
||||||
|
|
|
||||||
|
|
@ -30,7 +30,7 @@ class SMTP
|
||||||
* The PHPMailer SMTP version number.
|
* The PHPMailer SMTP version number.
|
||||||
* @var string
|
* @var string
|
||||||
*/
|
*/
|
||||||
const VERSION = '5.2.19';
|
const VERSION = '5.2.20';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* SMTP line break constant.
|
* SMTP line break constant.
|
||||||
|
|
@ -81,7 +81,7 @@ class SMTP
|
||||||
* @deprecated Use the `VERSION` constant instead
|
* @deprecated Use the `VERSION` constant instead
|
||||||
* @see SMTP::VERSION
|
* @see SMTP::VERSION
|
||||||
*/
|
*/
|
||||||
public $Version = '5.2.19';
|
public $Version = '5.2.20';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* SMTP server port number.
|
* SMTP server port number.
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue