From c9c2c04a8f965094181342b00bb5a629327ba0f7 Mon Sep 17 00:00:00 2001 From: Michael Babker Date: Thu, 29 Dec 2016 05:36:34 -0500 Subject: [PATCH] Update to PHPMailer 5.2.21 (#13388) --- composer.json | 2 +- composer.lock | 113 +++++++++--------- libraries/vendor/composer/ClassLoader.php | 36 +++++- libraries/vendor/composer/installed.json | 54 ++++----- libraries/vendor/phpmailer/phpmailer/VERSION | 2 +- .../phpmailer/phpmailer/class.phpmailer.php | 56 +++++++-- .../vendor/phpmailer/phpmailer/class.pop3.php | 2 +- .../vendor/phpmailer/phpmailer/class.smtp.php | 4 +- 8 files changed, 168 insertions(+), 101 deletions(-) diff --git a/composer.json b/composer.json index 23adbcaa8d2f9..695a0555cc1de 100644 --- a/composer.json +++ b/composer.json @@ -31,7 +31,7 @@ "ircmaxell/password-compat": "1.*", "leafo/lessphp": "0.5.0", "paragonie/random_compat": "~1.0", - "phpmailer/phpmailer": "^5.2.18", + "phpmailer/phpmailer": "^5.2.20", "symfony/polyfill-php55": "~1.2", "symfony/polyfill-php56": "~1.0", "symfony/yaml": "2.*", diff --git a/composer.lock b/composer.lock index 485a87499ced3..b780110f1cd27 100644 --- a/composer.lock +++ b/composer.lock @@ -4,8 +4,7 @@ "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], - "hash": "ca7cb035c1ac04233d3c822f1160546c", - "content-hash": "161f91c41caf9a179d905264523b29ae", + "content-hash": "126eeca3e1a2354c350bd5ad6fdb4f47", "packages": [ { "name": "ircmaxell/password-compat", @@ -47,7 +46,7 @@ "hashing", "password" ], - "time": "2014-11-20 16:49:30" + "time": "2014-11-20T16:49:30+00:00" }, { "name": "joomla/application", @@ -102,7 +101,7 @@ "framework", "joomla" ], - "time": "2016-12-10 17:26:50" + "time": "2016-12-10T17:26:50+00:00" }, { "name": "joomla/compat", @@ -139,7 +138,7 @@ "framework", "joomla" ], - "time": "2015-02-24 00:21:06" + "time": "2015-02-24T00:21:06+00:00" }, { "name": "joomla/data", @@ -188,7 +187,7 @@ "framework", "joomla" ], - "time": "2016-04-02 22:20:43" + "time": "2016-04-02T22:20:43+00:00" }, { "name": "joomla/di", @@ -237,7 +236,7 @@ "ioc", "joomla" ], - "time": "2015-04-02 16:30:40" + "time": "2015-04-02T16:30:40+00:00" }, { "name": "joomla/event", @@ -283,7 +282,7 @@ "framework", "joomla" ], - "time": "2016-03-13 19:41:09" + "time": "2016-03-13T19:41:09+00:00" }, { "name": "joomla/filter", @@ -333,7 +332,7 @@ "framework", "joomla" ], - "time": "2016-10-16 18:10:33" + "time": "2016-10-16T18:10:33+00:00" }, { "name": "joomla/input", @@ -381,7 +380,7 @@ "input", "joomla" ], - "time": "2014-10-12 18:01:36" + "time": "2014-10-12T18:01:36+00:00" }, { "name": "joomla/registry", @@ -434,7 +433,7 @@ "joomla", "registry" ], - "time": "2016-05-14 20:42:05" + "time": "2016-05-14T20:42:05+00:00" }, { "name": "joomla/session", @@ -484,7 +483,7 @@ "joomla", "session" ], - "time": "2016-12-21 21:08:20" + "time": "2016-12-21T21:08:20+00:00" }, { "name": "joomla/string", @@ -550,7 +549,7 @@ "joomla", "string" ], - "time": "2016-12-10 18:13:42" + "time": "2016-12-10T18:13:42+00:00" }, { "name": "joomla/uri", @@ -587,7 +586,7 @@ "joomla", "uri" ], - "time": "2014-02-09 02:57:17" + "time": "2014-02-09T02:57:17+00:00" }, { "name": "joomla/utilities", @@ -633,7 +632,7 @@ "joomla", "utilities" ], - "time": "2016-12-10 17:09:33" + "time": "2016-12-10T17:09:33+00:00" }, { "name": "leafo/lessphp", @@ -674,7 +673,7 @@ ], "description": "lessphp is a compiler for LESS written in PHP.", "homepage": "http://leafo.net/lessphp/", - "time": "2014-11-24 18:39:20" + "time": "2014-11-24T18:39:20+00:00" }, { "name": "paragonie/random_compat", @@ -722,20 +721,20 @@ "pseudorandom", "random" ], - "time": "2016-03-18 20:34:03" + "time": "2016-03-18T20:34:03+00:00" }, { "name": "phpmailer/phpmailer", - "version": "v5.2.19", + "version": "v5.2.21", "source": { "type": "git", "url": "https://github.com/PHPMailer/PHPMailer.git", - "reference": "9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9" + "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9", - "reference": "9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9", + "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/1d51856b76c06fc687fcd9180efa7a0bed0d761e", + "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e", "shasum": "" }, "require": { @@ -782,7 +781,7 @@ } ], "description": "PHPMailer is a full-featured email creation and transfer class for PHP", - "time": "2016-12-26 10:09:10" + "time": "2016-12-28T15:35:48+00:00" }, { "name": "psr/log", @@ -829,7 +828,7 @@ "psr", "psr-3" ], - "time": "2016-10-10 12:19:37" + "time": "2016-10-10T12:19:37+00:00" }, { "name": "simplepie/simplepie", @@ -883,7 +882,7 @@ "feeds", "rss" ], - "time": "2012-10-30 17:54:03" + "time": "2012-10-30T17:54:03+00:00" }, { "name": "symfony/polyfill-php55", @@ -939,7 +938,7 @@ "portable", "shim" ], - "time": "2016-11-14 01:06:16" + "time": "2016-11-14T01:06:16+00:00" }, { "name": "symfony/polyfill-php56", @@ -995,7 +994,7 @@ "portable", "shim" ], - "time": "2016-11-14 01:06:16" + "time": "2016-11-14T01:06:16+00:00" }, { "name": "symfony/polyfill-util", @@ -1047,7 +1046,7 @@ "polyfill", "shim" ], - "time": "2016-11-14 01:06:16" + "time": "2016-11-14T01:06:16+00:00" }, { "name": "symfony/yaml", @@ -1096,7 +1095,7 @@ ], "description": "Symfony Yaml Component", "homepage": "https://symfony.com", - "time": "2016-11-14 16:15:57" + "time": "2016-11-14T16:15:57+00:00" } ], "packages-dev": [ @@ -1152,7 +1151,7 @@ "constructor", "instantiate" ], - "time": "2015-06-14 21:17:01" + "time": "2015-06-14T21:17:01+00:00" }, { "name": "friendsofphp/php-cs-fixer", @@ -1210,7 +1209,7 @@ } ], "description": "A tool to automatically fix PHP code style", - "time": "2016-07-22 06:46:28" + "time": "2016-07-22T06:46:28+00:00" }, { "name": "pear/cache_lite", @@ -1260,7 +1259,7 @@ "keywords": [ "cache" ], - "time": "2014-05-11 15:02:19" + "time": "2014-05-11T15:02:19+00:00" }, { "name": "phpdocumentor/reflection-docblock", @@ -1309,7 +1308,7 @@ "email": "mike.vanriel@naenius.com" } ], - "time": "2015-02-03 12:10:50" + "time": "2015-02-03T12:10:50+00:00" }, { "name": "phpspec/prophecy", @@ -1372,7 +1371,7 @@ "spy", "stub" ], - "time": "2016-11-21 14:58:47" + "time": "2016-11-21T14:58:47+00:00" }, { "name": "phpunit/dbunit", @@ -1431,7 +1430,7 @@ "testing", "xunit" ], - "time": "2015-08-07 04:57:38" + "time": "2015-08-07T04:57:38+00:00" }, { "name": "phpunit/php-code-coverage", @@ -1493,7 +1492,7 @@ "testing", "xunit" ], - "time": "2015-10-06 15:47:00" + "time": "2015-10-06T15:47:00+00:00" }, { "name": "phpunit/php-file-iterator", @@ -1540,7 +1539,7 @@ "filesystem", "iterator" ], - "time": "2016-10-03 07:40:28" + "time": "2016-10-03T07:40:28+00:00" }, { "name": "phpunit/php-text-template", @@ -1581,7 +1580,7 @@ "keywords": [ "template" ], - "time": "2015-06-21 13:50:34" + "time": "2015-06-21T13:50:34+00:00" }, { "name": "phpunit/php-timer", @@ -1625,7 +1624,7 @@ "keywords": [ "timer" ], - "time": "2016-05-12 18:03:57" + "time": "2016-05-12T18:03:57+00:00" }, { "name": "phpunit/php-token-stream", @@ -1674,7 +1673,7 @@ "keywords": [ "tokenizer" ], - "time": "2016-11-15 14:06:22" + "time": "2016-11-15T14:06:22+00:00" }, { "name": "phpunit/phpunit", @@ -1746,7 +1745,7 @@ "testing", "xunit" ], - "time": "2016-12-09 02:45:31" + "time": "2016-12-09T02:45:31+00:00" }, { "name": "phpunit/phpunit-mock-objects", @@ -1802,7 +1801,7 @@ "mock", "xunit" ], - "time": "2015-10-02 06:51:40" + "time": "2015-10-02T06:51:40+00:00" }, { "name": "sebastian/comparator", @@ -1866,7 +1865,7 @@ "compare", "equality" ], - "time": "2016-11-19 09:18:40" + "time": "2016-11-19T09:18:40+00:00" }, { "name": "sebastian/diff", @@ -1918,7 +1917,7 @@ "keywords": [ "diff" ], - "time": "2015-12-08 07:14:41" + "time": "2015-12-08T07:14:41+00:00" }, { "name": "sebastian/environment", @@ -1968,7 +1967,7 @@ "environment", "hhvm" ], - "time": "2016-08-18 05:49:44" + "time": "2016-08-18T05:49:44+00:00" }, { "name": "sebastian/exporter", @@ -2035,7 +2034,7 @@ "export", "exporter" ], - "time": "2016-06-17 09:04:28" + "time": "2016-06-17T09:04:28+00:00" }, { "name": "sebastian/global-state", @@ -2086,7 +2085,7 @@ "keywords": [ "global state" ], - "time": "2015-10-12 03:26:01" + "time": "2015-10-12T03:26:01+00:00" }, { "name": "sebastian/recursion-context", @@ -2139,7 +2138,7 @@ ], "description": "Provides functionality to recursively process PHP variables", "homepage": "http://www.github.com/sebastianbergmann/recursion-context", - "time": "2015-11-11 19:50:13" + "time": "2015-11-11T19:50:13+00:00" }, { "name": "sebastian/version", @@ -2174,7 +2173,7 @@ ], "description": "Library that helps with managing the version number of Git-hosted PHP projects", "homepage": "https://github.com/sebastianbergmann/version", - "time": "2015-06-21 13:59:46" + "time": "2015-06-21T13:59:46+00:00" }, { "name": "squizlabs/php_codesniffer", @@ -2249,7 +2248,7 @@ "phpcs", "standards" ], - "time": "2014-12-04 22:32:15" + "time": "2014-12-04T22:32:15+00:00" }, { "name": "symfony/console", @@ -2310,7 +2309,7 @@ ], "description": "Symfony Console Component", "homepage": "https://symfony.com", - "time": "2016-12-06 11:59:35" + "time": "2016-12-06T11:59:35+00:00" }, { "name": "symfony/debug", @@ -2367,7 +2366,7 @@ ], "description": "Symfony Debug Component", "homepage": "https://symfony.com", - "time": "2016-11-15 12:53:17" + "time": "2016-11-15T12:53:17+00:00" }, { "name": "symfony/event-dispatcher", @@ -2427,7 +2426,7 @@ ], "description": "Symfony EventDispatcher Component", "homepage": "https://symfony.com", - "time": "2016-10-13 01:43:15" + "time": "2016-10-13T01:43:15+00:00" }, { "name": "symfony/filesystem", @@ -2476,7 +2475,7 @@ ], "description": "Symfony Filesystem Component", "homepage": "https://symfony.com", - "time": "2016-10-18 04:28:30" + "time": "2016-10-18T04:28:30+00:00" }, { "name": "symfony/finder", @@ -2525,7 +2524,7 @@ ], "description": "Symfony Finder Component", "homepage": "https://symfony.com", - "time": "2016-12-13 09:38:12" + "time": "2016-12-13T09:38:12+00:00" }, { "name": "symfony/polyfill-mbstring", @@ -2584,7 +2583,7 @@ "portable", "shim" ], - "time": "2016-11-14 01:06:16" + "time": "2016-11-14T01:06:16+00:00" }, { "name": "symfony/process", @@ -2633,7 +2632,7 @@ ], "description": "Symfony Process Component", "homepage": "https://symfony.com", - "time": "2016-11-24 00:43:03" + "time": "2016-11-24T00:43:03+00:00" }, { "name": "symfony/stopwatch", @@ -2682,7 +2681,7 @@ ], "description": "Symfony Stopwatch Component", "homepage": "https://symfony.com", - "time": "2016-06-29 05:29:29" + "time": "2016-06-29T05:29:29+00:00" } ], "aliases": [], diff --git a/libraries/vendor/composer/ClassLoader.php b/libraries/vendor/composer/ClassLoader.php index ac67d302a1866..4626994fd4d8a 100644 --- a/libraries/vendor/composer/ClassLoader.php +++ b/libraries/vendor/composer/ClassLoader.php @@ -55,6 +55,7 @@ class ClassLoader private $classMap = array(); private $classMapAuthoritative = false; private $missingClasses = array(); + private $apcuPrefix; public function getPrefixes() { @@ -271,6 +272,26 @@ public function isClassMapAuthoritative() return $this->classMapAuthoritative; } + /** + * APCu prefix to use to cache found/not-found classes, if the extension is enabled. + * + * @param string|null $apcuPrefix + */ + public function setApcuPrefix($apcuPrefix) + { + $this->apcuPrefix = function_exists('apcu_fetch') && ini_get('apc.enabled') ? $apcuPrefix : null; + } + + /** + * The APCu prefix in use, or null if APCu caching is not enabled. + * + * @return string|null + */ + public function getApcuPrefix() + { + return $this->apcuPrefix; + } + /** * Registers this instance as an autoloader. * @@ -313,11 +334,6 @@ public function loadClass($class) */ public function findFile($class) { - // work around for PHP 5.3.0 - 5.3.2 https://bugs.php.net/50731 - if ('\\' == $class[0]) { - $class = substr($class, 1); - } - // class map lookup if (isset($this->classMap[$class])) { return $this->classMap[$class]; @@ -325,6 +341,12 @@ public function findFile($class) if ($this->classMapAuthoritative || isset($this->missingClasses[$class])) { return false; } + if (null !== $this->apcuPrefix) { + $file = apcu_fetch($this->apcuPrefix.$class, $hit); + if ($hit) { + return $file; + } + } $file = $this->findFileWithExtension($class, '.php'); @@ -333,6 +355,10 @@ public function findFile($class) $file = $this->findFileWithExtension($class, '.hh'); } + if (null !== $this->apcuPrefix) { + apcu_add($this->apcuPrefix.$class, $file); + } + if (false === $file) { // Remember that this class does not exist. $this->missingClasses[$class] = true; diff --git a/libraries/vendor/composer/installed.json b/libraries/vendor/composer/installed.json index 9f6a3c75ea4e3..fe028139199c1 100644 --- a/libraries/vendor/composer/installed.json +++ b/libraries/vendor/composer/installed.json @@ -17,7 +17,7 @@ "require": { "php": ">=5.3.10" }, - "time": "2014-02-09 02:57:17", + "time": "2014-02-09T02:57:17+00:00", "type": "joomla-package", "installation-source": "dist", "autoload": { @@ -62,7 +62,7 @@ "phpunit/phpunit": "4.*", "squizlabs/php_codesniffer": "1.*" }, - "time": "2014-10-12 18:01:36", + "time": "2014-10-12T18:01:36+00:00", "type": "joomla-package", "extra": { "branch-alias": { @@ -106,7 +106,7 @@ "require-dev": { "phpunit/phpunit": "4.*" }, - "time": "2014-11-20 16:49:30", + "time": "2014-11-20T16:49:30+00:00", "type": "library", "installation-source": "dist", "autoload": { @@ -150,7 +150,7 @@ "require": { "php": ">=5.3.10" }, - "time": "2015-02-24 00:21:06", + "time": "2015-02-24T00:21:06+00:00", "type": "joomla-package", "installation-source": "dist", "autoload": { @@ -193,7 +193,7 @@ "phpunit/phpunit": "4.*", "squizlabs/php_codesniffer": "1.*" }, - "time": "2015-04-02 16:30:40", + "time": "2015-04-02T16:30:40+00:00", "type": "joomla-package", "extra": { "branch-alias": { @@ -237,7 +237,7 @@ "reference": "0f5a7f5545d2bcf4e9fad9a228c8ad89cc9aa283", "shasum": "" }, - "time": "2014-11-24 18:39:20", + "time": "2014-11-24T18:39:20+00:00", "type": "library", "extra": { "branch-alias": { @@ -287,7 +287,7 @@ "phpunit/phpunit": "~4.8|~5.0", "squizlabs/php_codesniffer": "1.*" }, - "time": "2016-03-13 19:41:09", + "time": "2016-03-13T19:41:09+00:00", "type": "joomla-package", "extra": { "branch-alias": { @@ -337,7 +337,7 @@ "suggest": { "ext-libsodium": "Provides a modern crypto API that can be used to generate random bytes." }, - "time": "2016-03-18 20:34:03", + "time": "2016-03-18T20:34:03+00:00", "type": "library", "installation-source": "dist", "autoload": { @@ -381,7 +381,7 @@ "require": { "php": ">=5.2.0" }, - "time": "2012-10-30 17:54:03", + "time": "2012-10-30T17:54:03+00:00", "type": "library", "installation-source": "dist", "autoload": { @@ -444,7 +444,7 @@ "phpunit/phpunit": "~4.8|~5.0", "squizlabs/php_codesniffer": "1.*" }, - "time": "2016-04-02 22:20:43", + "time": "2016-04-02T22:20:43+00:00", "type": "joomla-package", "extra": { "branch-alias": { @@ -500,7 +500,7 @@ "suggest": { "symfony/yaml": "Install symfony/yaml if you require YAML support." }, - "time": "2016-05-14 20:42:05", + "time": "2016-05-14T20:42:05+00:00", "type": "joomla-package", "extra": { "branch-alias": { @@ -543,7 +543,7 @@ "require": { "php": ">=5.3.0" }, - "time": "2016-10-10 12:19:37", + "time": "2016-10-10T12:19:37+00:00", "type": "library", "extra": { "branch-alias": { @@ -600,7 +600,7 @@ "suggest": { "ext-mbstring": "For improved processing" }, - "time": "2016-12-10 18:13:42", + "time": "2016-12-10T18:13:42+00:00", "type": "joomla-package", "extra": { "branch-alias": { @@ -665,7 +665,7 @@ "phpunit/phpunit": "~4.8|~5.0", "squizlabs/php_codesniffer": "1.*" }, - "time": "2016-12-10 17:09:33", + "time": "2016-12-10T17:09:33+00:00", "type": "joomla-package", "extra": { "branch-alias": { @@ -717,7 +717,7 @@ "suggest": { "joomla/language": "Required only if you want to use `OutputFilter::stringURLSafe`." }, - "time": "2016-10-16 18:10:33", + "time": "2016-10-16T18:10:33+00:00", "type": "joomla-package", "extra": { "branch-alias": { @@ -774,7 +774,7 @@ "joomla/session": "To use AbstractWebApplication with session support, install joomla/session", "joomla/uri": "To use AbstractWebApplication, install joomla/uri" }, - "time": "2016-12-10 17:26:50", + "time": "2016-12-10T17:26:50+00:00", "type": "joomla-package", "extra": { "branch-alias": { @@ -818,7 +818,7 @@ "ircmaxell/password-compat": "~1.0", "php": ">=5.3.3" }, - "time": "2016-11-14 01:06:16", + "time": "2016-11-14T01:06:16+00:00", "type": "library", "extra": { "branch-alias": { @@ -875,7 +875,7 @@ "require": { "php": ">=5.3.3" }, - "time": "2016-11-14 01:06:16", + "time": "2016-11-14T01:06:16+00:00", "type": "library", "extra": { "branch-alias": { @@ -930,7 +930,7 @@ "php": ">=5.3.3", "symfony/polyfill-util": "~1.0" }, - "time": "2016-11-14 01:06:16", + "time": "2016-11-14T01:06:16+00:00", "type": "library", "extra": { "branch-alias": { @@ -987,7 +987,7 @@ "require": { "php": ">=5.3.9" }, - "time": "2016-11-14 16:15:57", + "time": "2016-11-14T16:15:57+00:00", "type": "library", "extra": { "branch-alias": { @@ -1052,7 +1052,7 @@ "suggest": { "joomla/database": "Install joomla/database if you want to use Database session storage." }, - "time": "2016-12-21 21:08:20", + "time": "2016-12-21T21:08:20+00:00", "type": "joomla-package", "installation-source": "dist", "autoload": { @@ -1074,17 +1074,17 @@ }, { "name": "phpmailer/phpmailer", - "version": "v5.2.19", - "version_normalized": "5.2.19.0", + "version": "v5.2.21", + "version_normalized": "5.2.21.0", "source": { "type": "git", "url": "https://github.com/PHPMailer/PHPMailer.git", - "reference": "9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9" + "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9", - "reference": "9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9", + "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/1d51856b76c06fc687fcd9180efa7a0bed0d761e", + "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e", "shasum": "" }, "require": { @@ -1097,7 +1097,7 @@ "suggest": { "league/oauth2-google": "Needed for Google XOAUTH2 authentication" }, - "time": "2016-12-26 10:09:10", + "time": "2016-12-28T15:35:48+00:00", "type": "library", "installation-source": "dist", "autoload": { diff --git a/libraries/vendor/phpmailer/phpmailer/VERSION b/libraries/vendor/phpmailer/phpmailer/VERSION index 1c26b6f22f621..567eefa2cdf13 100644 --- a/libraries/vendor/phpmailer/phpmailer/VERSION +++ b/libraries/vendor/phpmailer/phpmailer/VERSION @@ -1 +1 @@ -5.2.19 \ No newline at end of file +5.2.21 diff --git a/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php b/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php index 6afcf9ae94a39..8ff13f11046ae 100644 --- a/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php +++ b/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php @@ -31,7 +31,7 @@ class PHPMailer * The PHPMailer Version number. * @var string */ - public $Version = '5.2.19'; + public $Version = '5.2.21'; /** * Email priority. @@ -1364,19 +1364,24 @@ public function postSend() */ protected function sendmailSend($header, $body) { - if (!empty($this->Sender)) { + // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. + if (!empty($this->Sender) and self::isShellSafe($this->Sender)) { if ($this->Mailer == 'qmail') { - $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); + $sendmailFmt = '%s -f%s'; } else { - $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); + $sendmailFmt = '%s -oi -f%s -t'; } } else { if ($this->Mailer == 'qmail') { - $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail)); + $sendmailFmt = '%s'; } else { - $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail)); + $sendmailFmt = '%s -oi -t'; } } + + // TODO: If possible, this should be changed to escapeshellarg. Needs thorough testing. + $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender); + if ($this->SingleTo) { foreach ($this->SingleToArray as $toAddr) { if (!@$mail = popen($sendmail, 'w')) { @@ -1422,6 +1427,40 @@ protected function sendmailSend($header, $body) return true; } + /** + * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters. + * + * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows. + * @param string $string The string to be validated + * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report + * @access protected + * @return boolean + */ + protected static function isShellSafe($string) + { + // Future-proof + if (escapeshellcmd($string) !== $string + or !in_array(escapeshellarg($string), array("'$string'", "\"$string\"")) + ) { + return false; + } + + $length = strlen($string); + + for ($i = 0; $i < $length; $i++) { + $c = $string[$i]; + + // All other characters have a special meaning in at least one common shell, including = and +. + // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here. + // Note that this does permit non-Latin alphanumeric characters based on the current locale. + if (!ctype_alnum($c) && strpos('@_-.', $c) === false) { + return false; + } + } + + return true; + } + /** * Send mail using the PHP mail() function. * @param string $header The message headers @@ -1442,7 +1481,10 @@ protected function mailSend($header, $body) $params = null; //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver if (!empty($this->Sender) and $this->validateAddress($this->Sender)) { - $params = sprintf('-f%s', escapeshellarg($this->Sender)); + // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. + if (self::isShellSafe($this->Sender)) { + $params = sprintf('-f%s', $this->Sender); + } } if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) { $old_from = ini_get('sendmail_from'); diff --git a/libraries/vendor/phpmailer/phpmailer/class.pop3.php b/libraries/vendor/phpmailer/phpmailer/class.pop3.php index 32d614b35907c..373c886cded3e 100644 --- a/libraries/vendor/phpmailer/phpmailer/class.pop3.php +++ b/libraries/vendor/phpmailer/phpmailer/class.pop3.php @@ -34,7 +34,7 @@ class POP3 * @var string * @access public */ - public $Version = '5.2.19'; + public $Version = '5.2.21'; /** * Default POP3 port number. diff --git a/libraries/vendor/phpmailer/phpmailer/class.smtp.php b/libraries/vendor/phpmailer/phpmailer/class.smtp.php index 04ced65812905..270162b26400e 100644 --- a/libraries/vendor/phpmailer/phpmailer/class.smtp.php +++ b/libraries/vendor/phpmailer/phpmailer/class.smtp.php @@ -30,7 +30,7 @@ class SMTP * The PHPMailer SMTP version number. * @var string */ - const VERSION = '5.2.19'; + const VERSION = '5.2.21'; /** * SMTP line break constant. @@ -81,7 +81,7 @@ class SMTP * @deprecated Use the `VERSION` constant instead * @see SMTP::VERSION */ - public $Version = '5.2.19'; + public $Version = '5.2.21'; /** * SMTP server port number.