Please disclose any vulnerabilities found responsibly - report any security problems found to the maintainers privately.
PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs in `Content-Type` and `Content-Disposition` when filenames passed into `addAttachment` and other methods that accept attachment names contain double quote characters, in contravention of RFC822 3.4.1. No specific vulnerability has been found relating to this, but it could allow file attachments to bypass attachment filters that are based on matching filename extensions. Recorded as [CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). Reported by Elar Lang of Clarified Security.
PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing `phar://` paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded as [CVE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296). See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Sehun Oh of cyberone.kr.
PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through composer, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.
// * methods to publish some XHTML + CSS code, Javascript and Forms;
// * images, graphic (geometric figures) and transformation methods;
// * supports JPEG, PNG and SVG images natively, all images supported by GD (GD, GD2, GD2PART, GIF, JPEG, PNG, BMP, XBM, XPM) and all images supported via ImagMagick (http://www.imagemagick.org/www/formats.html)
// * supports JPEG, PNG and SVG images natively, all images supported by GD (GD, GD2, GD2PART, GIF, JPEG, PNG, BMP, XBM, XPM) and all images supported via ImageMagick (http://www.imagemagick.org/www/formats.html)
// * 1D and 2D barcodes: CODE 39, ANSI MH10.8M-1983, USD-3, 3 of 9, CODE 93, USS-93, Standard 2 of 5, Interleaved 2 of 5, CODE 128 A/B/C, 2 and 5 Digits UPC-Based Extension, EAN 8, EAN 13, UPC-A, UPC-E, MSI, POSTNET, PLANET, RMS4CC (Royal Mail 4-state Customer Code), CBC (Customer Bar Code), KIX (Klant index - Customer index), Intelligent Mail Barcode, Onecode, USPS-B-3200, CODABAR, CODE 11, PHARMACODE, PHARMACODE TWO-TRACKS, Datamatrix, QR-Code, PDF417;
// * JPEG and PNG ICC profiles, Grayscale, RGB, CMYK, Spot Colors and Transparencies;
// * automatic page header and footer management;
@ -80,7 +80,7 @@
* <li>font subsetting;</li>
* <li>methods to publish some XHTML + CSS code, Javascript and Forms;</li>
* <li>images, graphic (geometric figures) and transformation methods;
* <li>supports JPEG, PNG and SVG images natively, all images supported by GD (GD, GD2, GD2PART, GIF, JPEG, PNG, BMP, XBM, XPM) and all images supported via ImagMagick (http://www.imagemagick.org/www/formats.html)</li>
* <li>supports JPEG, PNG and SVG images natively, all images supported by GD (GD, GD2, GD2PART, GIF, JPEG, PNG, BMP, XBM, XPM) and all images supported via ImageMagick (http://www.imagemagick.org/www/formats.html)</li>
* <li>1D and 2D barcodes: CODE 39, ANSI MH10.8M-1983, USD-3, 3 of 9, CODE 93, USS-93, Standard 2 of 5, Interleaved 2 of 5, CODE 128 A/B/C, 2 and 5 Digits UPC-Based Extension, EAN 8, EAN 13, UPC-A, UPC-E, MSI, POSTNET, PLANET, RMS4CC (Royal Mail 4-state Customer Code), CBC (Customer Bar Code), KIX (Klant index - Customer index), Intelligent Mail Barcode, Onecode, USPS-B-3200, CODABAR, CODE 11, PHARMACODE, PHARMACODE TWO-TRACKS, Datamatrix, QR-Code, PDF417;</li>
* <li>JPEG and PNG ICC profiles, Grayscale, RGB, CMYK, Spot Colors and Transparencies;</li>
* <li>automatic page header and footer management;</li>
@ -104,7 +104,7 @@
* Tools to encode your unicode fonts are on fonts/utils directory.</p>
* TCPDF project (http://www.tcpdf.org) has been originally derived in 2002 from the Public Domain FPDF class by Olivier Plathey (http://www.fpdf.org), but now is almost entirely rewritten.<br>
* @package com.tecnick.tcpdf
* @brief PHP class for generating PDF documents without requiring external extensions.
* @version 6.2.26
* @version 6.3.2
* @author Nicola Asuni - info@tecnick.com
* @IgnoreAnnotation("protected")
* @IgnoreAnnotation("public")
@ -1760,6 +1760,13 @@ class TCPDF {
*/
protected $pdfa_mode = false;
/**
* version of PDF/A mode (1 - 3).
* @protected
* @since 6.2.26 (2019-03-12)
*/
protected $pdfa_version = 1;
/**
* Document creation date-time
* @protected
@ -1781,6 +1788,13 @@ class TCPDF {
*/
protected $custom_xmp = '';
/**
* Custom XMP RDF data.
* @protected
* @since 6.3.0 (2019-09-19)
*/
protected $custom_xmp_rdf = '';
/**
* Overprint mode array.
* (Check the "Entries in a Graphics State Parameter Dictionary" on PDF 32000-1:2008).
@ -1834,7 +1848,7 @@ class TCPDF {
* @param $unicode (boolean) TRUE means that the input text is unicode (default = true)
* @param $encoding (string) Charset encoding (used only when converting back html entities); default is UTF-8.
* @param $diskcache (boolean) DEPRECATED FEATURE
* @param $pdfa (boolean) If TRUE set the document to PDF/A mode.
* @param $pdfa (integer) If not false, set the document to PDF/A mode and the good version (1 or 3).
* @param $link (int) The link identifier returned by AddLink()
* @param $y (float) Ordinate of target position; -1 indicates the current position. The default value is 0 (top of page)
* @param $page (int) Number of target page; -1 indicates the current page (default value). If you prefix a page number with the * character, then this page will not be changed when adding/deleting/moving pages.
* @param $page (int|string) Number of target page; -1 indicates the current page (default value). If you prefix a page number with the * character, then this page will not be changed when adding/deleting/moving pages.
* @public
* @since 1.5
* @see AddLink()
*/
public function SetLink($link, $y=0, $page=-1) {
$fixed = false;
if (!empty($page) AND ($page[0] == '*')) {
if (!empty($page) AND (substr($page, 0, 1) == '*')) {
$page = intval(substr($page, 1));
// this page number will not be changed when moving/add/deleting pages
if (!empty($page) AND (substr($page, 0, 1) == '*')) {
$page = intval(substr($page, 1));
// this page number will not be changed when moving/add/deleting pages
$fixed = true;
@ -12324,7 +12384,8 @@ class TCPDF {
$x = $this->w;
}
$fixed = false;
if (!empty($page) AND ($page[0] == '*')) {
$pageAsString = (string) $page;
if ($pageAsString && $pageAsString[0] == '*') {
$page = intval(substr($page, 1));
// this page number will not be changed when moving/add/deleting pages
$fixed = true;
@ -13988,7 +14049,7 @@ class TCPDF {
* @since 3.1.000 (2008-06-09)
*/
public function setPDFVersion($version='1.7') {
if ($this->pdfa_mode) {
if ($this->pdfa_mode&& $this->pdfa_version == 1 ) {
// PDF/A mode
$this->PDFVersion = '1.4';
} else {
@ -15502,8 +15563,7 @@ class TCPDF {
* <li>int $style['module_height'] height of a single module in points</li>
* <li>array $style['fgcolor'] color array for bars and text</li>
* <li>mixed $style['bgcolor'] color array for background or false for transparent</li>
* <li>string $style['position'] barcode position on the page: L = left margin; C = center; R = right margin; S = stretch</li><li>$style['module_width'] width of a single module in points</li>
* <li>$style['module_height'] height of a single module in points</li></ul>
* <li>string $style['position'] barcode position on the page: L = left margin; C = center; R = right margin; S = stretch</li>
* @param $align (string) Indicates the alignment of the pointer next to barcode insertion relative to barcode height. The value can be:<ul><li>T: top-right for LTR or top-left for RTL</li><li>M: middle-right for LTR or middle-left for RTL</li><li>B: bottom-right for LTR or bottom-left for RTL</li><li>N: next line</li></ul>
* @param $distort (boolean) if true distort the barcode to fit width and height, otherwise preserve aspect ratio
* @author Nicola Asuni
@ -16897,10 +16957,10 @@ class TCPDF {
if (($dom[$key]['value'] == 'pre') OR ($dom[$key]['value'] == 'tt')) {