mirror/PHPMailer
0
0
Fork 0
mirror of https://github.com/PHPMailer/PHPMailer.git synced 2024-09-20 10:02:14 +02:00
Code

Mitigations for CVE-2018-19296

Browse Source
This commit is contained in:
Marcus Bointon 2018-11-15 23:01:42 +01:00
parent 0ed33daab6
commit 8e653bb796
No known key found for this signature in database
GPG Key ID: DE31CD6EB646AA24
2 changed files with 40 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
src/PHPMailer.php
View File

@ -1471,7 +1471,10 @@ class PHPMailer
if (!empty($this->DKIM_domain)
and !empty($this->DKIM_selector)
and (!empty($this->DKIM_private_string)
or (!empty($this->DKIM_private) and file_exists($this->DKIM_private))
or (!empty($this->DKIM_private)
and static::isPermittedPath($this->DKIM_private)
and file_exists($this->DKIM_private)
)
)
) {
$header_dkim = $this->DKIM_Add(
@ -1648,6 +1651,20 @@ class PHPMailer
return true;
}
/**
* Check whether a file path is of a permitted type.
* Used to reject URLs and phar files from functions that access local file paths,
* such as addAttachment.
*
* @param string $path A relative or absolute path to a file.
*
* @return bool
*/
protected static function isPermittedPath($path)
{
return !preg_match('#^[a-z]+://#i', $path);
}
/**
* Send mail using the PHP mail() function.
*
@ -2038,7 +2055,7 @@ class PHPMailer
// There is no English translation file
if ('en' != $langcode) {
// Make sure language file path is readable
if (!file_exists($lang_file)) {
if (!static::isPermittedPath($lang_file) || !file_exists($lang_file)) {
$foundlang = false;
} else {
// Overwrite language-specific strings.
@ -2776,6 +2793,8 @@ class PHPMailer
* Add an attachment from a path on the filesystem.
* Never use a user-supplied path to a file!
* Returns false if the file could not be found or read.
* Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client.
* If you need to do that, fetch the resource yourself and pass it in via a local file or string.
*
* @param string $path Path to the attachment
* @param string $name Overrides the attachment name
@ -2790,7 +2809,7 @@ class PHPMailer
public function addAttachment($path, $name = '', $encoding = self::ENCODING_BASE64, $type = '', $disposition = 'attachment')
{
try {
if (!@is_file($path)) {
if (!static::isPermittedPath($path) || !@is_file($path)) {
throw new Exception($this->lang('file_access') . $path, self::STOP_CONTINUE);
}
@ -2972,7 +2991,7 @@ class PHPMailer
protected function encodeFile($path, $encoding = self::ENCODING_BASE64)
{
try {
if (!file_exists($path)) {
if (!static::isPermittedPath($path) || !file_exists($path)) {
throw new Exception($this->lang('file_open') . $path, self::STOP_CONTINUE);
}
$file_buffer = file_get_contents($path);
@ -3313,7 +3332,7 @@ class PHPMailer
*/
public function addEmbeddedImage($path, $cid, $name = '', $encoding = self::ENCODING_BASE64, $type = '', $disposition = 'inline')
{
if (!@is_file($path)) {
if (!static::isPermittedPath($path) || !@is_file($path)) {
$this->setError($this->lang('file_access') . $path);
return false;

16
test/PHPMailerTest.php
View File

@ -798,6 +798,22 @@ final class PHPMailerTest extends TestCase
$this->assertTrue($this->Mail->send(), $this->Mail->ErrorInfo);
}
/**
* Rejection of non-local file attachments test.
*/
public function testRejectNonLocalFileAttachment()
{
$this->assertFalse(
$this->Mail->addAttachment('https://github.com/PHPMailer/PHPMailer/raw/master/README.md'),
'addAttachment should reject remote URLs'
);
$this->assertFalse(
$this->Mail->addAttachment('phar://phar.php'),
'addAttachment should reject phar resources'
);
}
/**
* Simple plain string attachment test.
*/