mirror/PHPMailer
0
0
Fork 0
mirror of https://github.com/PHPMailer/PHPMailer.git synced 2024-09-20 10:02:14 +02:00
Code

Merge branch 'master' of https://github.com/PHPMailer/PHPMailer

Browse Source
This commit is contained in:
Jim Jagielski 2018-11-16 08:18:48 -05:00
commit 028aceea3d
10 changed files with 64 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -72,6 +72,8 @@ If you don't speak git or just want a tarball, click the 'zip' button on the rig
## Legacy versions
PHPMailer 5.2 (which is compatible with PHP 5.0 - 7.0) is no longer being supported for feature updates, and will only be receiving security updates from now on. You will find the latest version of 5.2 in the [5.2-stable branch](https://github.com/PHPMailer/PHPMailer/tree/5.2-stable), and future versions of 5.2 will be tagged with 5.2.x version numbers, so existing Composer configs should remain working. If you're using PHP 5.5 or later, we recommend you make the necessary changes to switch to the 6.0 release.
The 5.2 branch will not receive security updates after December 31st 2018.
## Upgrading from 5.2
The biggest changes are that source files are now in the `src/` folder, and PHPMailer now declares the namespace `PHPMailer\PHPMailer`. This has several important effects [read the upgrade guide](https://github.com/PHPMailer/PHPMailer/tree/master/UPGRADING.md) for more details.

4
SECURITY.md
View File

@ -2,7 +2,9 @@
Please disclose any vulnerabilities found responsibly - report any security problems found to the maintainers privately.
PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.
PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing `phar://` paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded as [CVE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296). See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Sehun Oh of cyberone.kr.
PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through composer, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.
PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file disclosure vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5223). If content passed into `msgHTML()` is sourced from unfiltered user input, relative paths can map to absolute local file paths and added as attachments. Also note that `addAttachment` (just like `file_get_contents`, `passthru`, `unlink`, etc) should not be passed user-sourced params either! Reported by Yongxiang Li of Asiasecurity.

2
VERSION
View File

@ -1 +1 @@
6.0.5
6.0.6

11
changelog.md
View File

@ -1,7 +1,11 @@
# PHPMailer Change Log
## Version 6.0.6 (November 14th 2018)
* **SECURITY** Fix potential object injection vulnerability. Reported by Sehun Oh of cyberone.kr.
* Added Tagalog translation, thanks to @StoneArtz
* Added Malagache translation, thanks to @Hackinet
* Updated Serbian translation, fixed incorrect language code, thanks to @mmilanovic4
* Updated Arabic translations (@MicroDroid)
* Updated Hungarian translations
* Updated Dutch translations
* Updated Slovenian translation (@filips123)
@ -12,7 +16,12 @@
* Add constants for common values, such as `text/html` and `quoted-printable`, and use them
* Added support for copied headers in DKIM, helping with debugging, and an option to add extra headers to the DKIM signature. See DKIM_sign example for how to use them. Thanks to @gwi-mmuths.
* Add Campaign Monitor transaction ID pattern matcher
* Remove deprecated constant and ini values causing warnings in PHP 7.3.
* Remove deprecated constant and ini values causing warnings in PHP 7.3, added PHP 7.3 build to Travis config.
* Expanded test coverage
## Version 5.2.27 (November 14th 2018)
* **SECURITY** Fix potential object injection vulnerability. Reported by Sehun Oh of cyberone.kr.
* Note that the 5.2 branch is now deprecated and will not receive security updates after 31st December 2018.
## Version 6.0.5 (March 27th 2018)
* Re-roll of 6.0.4 to fix missed version file entry. No code changes.

26
language/phpmailer.lang-rs.php
View File

@ -1,26 +0,0 @@
<?php
/**
* Serbian PHPMailer language file: refer to English translation for definitive list
* @package PHPMailer
* @author Александар Јевремовић <ajevremovic@gmail.com>
*/
$PHPMAILER_LANG['authenticate'] = 'SMTP грешка: аутентификација није успела.';
$PHPMAILER_LANG['connect_host'] = 'SMTP грешка: није могуће повезивање са SMTP сервером.';
$PHPMAILER_LANG['data_not_accepted'] = 'SMTP грешка: подаци нису прихваћени.';
$PHPMAILER_LANG['empty_message'] = 'Садржај поруке је празан.';
$PHPMAILER_LANG['encoding'] = 'Непознато кодовање: ';
$PHPMAILER_LANG['execute'] = 'Није могуће извршити наредбу: ';
$PHPMAILER_LANG['file_access'] = 'Није могуће приступити датотеци: ';
$PHPMAILER_LANG['file_open'] = 'Није могуће отворити датотеку: ';
$PHPMAILER_LANG['from_failed'] = 'SMTP грешка: слање са следећих адреса није успело: ';
$PHPMAILER_LANG['recipients_failed'] = 'SMTP грешка: слање на следеће адресе није успело: ';
$PHPMAILER_LANG['instantiate'] = 'Није могуће покренути mail функцију.';
$PHPMAILER_LANG['invalid_address'] = 'Порука није послата због неисправне адресе: ';
$PHPMAILER_LANG['mailer_not_supported'] = ' мејлер није подржан.';
$PHPMAILER_LANG['provide_address'] = 'Потребно је задати најмање једну адресу.';
$PHPMAILER_LANG['signing'] = 'Грешка приликом пријављивања: ';
$PHPMAILER_LANG['smtp_connect_failed'] = 'Повезивање са SMTP сервером није успело.';
$PHPMAILER_LANG['smtp_error'] = 'Грешка SMTP сервера: ';
$PHPMAILER_LANG['variable_set'] = 'Није могуће задати променљиву, нити је вратити уназад: ';
$PHPMAILER_LANG['extension_missing'] = 'Недостаје проширење: ';

1
language/phpmailer.lang-sr.php
View File

@ -2,6 +2,7 @@
/**
* Serbian PHPMailer language file: refer to English translation for definitive list
* @package PHPMailer
* @author Александар Јевремовић <ajevremovic@gmail.com>
* @author Miloš Milanović <mmilanovic016@gmail.com>
*/

33
src/PHPMailer.php
View File

@ -701,7 +701,7 @@ class PHPMailer
*
* @var string
*/
const VERSION = '6.0.5';
const VERSION = '6.0.6';
/**
* Error severity: message only, continue processing.
@ -1471,7 +1471,10 @@ class PHPMailer
if (!empty($this->DKIM_domain)
and !empty($this->DKIM_selector)
and (!empty($this->DKIM_private_string)
or (!empty($this->DKIM_private) and file_exists($this->DKIM_private))
or (!empty($this->DKIM_private)
and static::isPermittedPath($this->DKIM_private)
and file_exists($this->DKIM_private)
)
)
) {
$header_dkim = $this->DKIM_Add(
@ -1648,6 +1651,20 @@ class PHPMailer
return true;
}
/**
* Check whether a file path is of a permitted type.
* Used to reject URLs and phar files from functions that access local file paths,
* such as addAttachment.
*
* @param string $path A relative or absolute path to a file
*
* @return bool
*/
protected static function isPermittedPath($path)
{
return !preg_match('#^[a-z]+://#i', $path);
}
/**
* Send mail using the PHP mail() function.
*
@ -1995,7 +2012,7 @@ class PHPMailer
'dk' => 'da',
'no' => 'nb',
'se' => 'sv',
'sr' => 'rs',
'rs' => 'sr',
'tg' => 'tl',
];
@ -2038,7 +2055,7 @@ class PHPMailer
// There is no English translation file
if ('en' != $langcode) {
// Make sure language file path is readable
if (!file_exists($lang_file)) {
if (!static::isPermittedPath($lang_file) || !file_exists($lang_file)) {
$foundlang = false;
} else {
// Overwrite language-specific strings.
@ -2776,6 +2793,8 @@ class PHPMailer
* Add an attachment from a path on the filesystem.
* Never use a user-supplied path to a file!
* Returns false if the file could not be found or read.
* Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client.
* If you need to do that, fetch the resource yourself and pass it in via a local file or string.
*
* @param string $path Path to the attachment
* @param string $name Overrides the attachment name
@ -2790,7 +2809,7 @@ class PHPMailer
public function addAttachment($path, $name = '', $encoding = self::ENCODING_BASE64, $type = '', $disposition = 'attachment')
{
try {
if (!@is_file($path)) {
if (!static::isPermittedPath($path) || !@is_file($path)) {
throw new Exception($this->lang('file_access') . $path, self::STOP_CONTINUE);
}
@ -2972,7 +2991,7 @@ class PHPMailer
protected function encodeFile($path, $encoding = self::ENCODING_BASE64)
{
try {
if (!file_exists($path)) {
if (!static::isPermittedPath($path) || !file_exists($path)) {
throw new Exception($this->lang('file_open') . $path, self::STOP_CONTINUE);
}
$file_buffer = file_get_contents($path);
@ -3313,7 +3332,7 @@ class PHPMailer
*/
public function addEmbeddedImage($path, $cid, $name = '', $encoding = self::ENCODING_BASE64, $type = '', $disposition = 'inline')
{
if (!@is_file($path)) {
if (!static::isPermittedPath($path) || !@is_file($path)) {
$this->setError($this->lang('file_access') . $path);
return false;

2
src/POP3.php
View File

@ -45,7 +45,7 @@ class POP3
*
* @var string
*/
const VERSION = '6.0.5';
const VERSION = '6.0.6';
/**
* Default POP3 port number.

2
src/SMTP.php
View File

@ -34,7 +34,7 @@ class SMTP
*
* @var string
*/
const VERSION = '6.0.5';
const VERSION = '6.0.6';
/**
* SMTP line break constant.

21
test/PHPMailerTest.php
View File

@ -15,6 +15,7 @@ namespace PHPMailer\Test;
use PHPMailer\PHPMailer\OAuth;
use PHPMailer\PHPMailer\PHPMailer;
use PHPMailer\PHPMailer\POP3;
use PHPMailer\PHPMailer\SMTP;
use PHPUnit\Framework\TestCase;
/**
@ -74,7 +75,7 @@ final class PHPMailerTest extends TestCase
include $this->INCLUDE_DIR . '/test/testbootstrap.php'; //Overrides go in here
}
$this->Mail = new PHPMailer();
$this->Mail->SMTPDebug = 3; //Full debug output
$this->Mail->SMTPDebug = SMTP::DEBUG_CONNECTION; //Full debug output
$this->Mail->Debugoutput = ['PHPMailer\Test\DebugLogTestListener', 'debugLog'];
$this->Mail->Priority = 3;
$this->Mail->Encoding = '8bit';
@ -798,6 +799,22 @@ final class PHPMailerTest extends TestCase
$this->assertTrue($this->Mail->send(), $this->Mail->ErrorInfo);
}
/**
* Rejection of non-local file attachments test.
*/
public function testRejectNonLocalFileAttachment()
{
$this->assertFalse(
$this->Mail->addAttachment('https://github.com/PHPMailer/PHPMailer/raw/master/README.md'),
'addAttachment should reject remote URLs'
);
$this->assertFalse(
$this->Mail->addAttachment('phar://phar.php'),
'addAttachment should reject phar resources'
);
}
/**
* Simple plain string attachment test.
*/
@ -2506,7 +2523,7 @@ EOT;
*/
public function testSmtpConnect()
{
$this->Mail->SMTPDebug = 4; //Show connection-level errors
$this->Mail->SMTPDebug = SMTP::DEBUG_LOWLEVEL; //Show connection-level errors
$this->assertTrue($this->Mail->smtpConnect(), 'SMTP single connect failed');
$this->Mail->smtpClose();