phpmailer update

This commit is contained in:
Roland Gruber 2020-05-28 20:11:36 +02:00
parent 3018a887c0
commit 71af42442b
9 changed files with 55 additions and 33 deletions

10
lam/composer.lock generated
View File

@ -773,16 +773,16 @@
},
{
"name": "phpmailer/phpmailer",
"version": "v6.1.5",
"version": "v6.1.6",
"source": {
"type": "git",
"url": "https://github.com/PHPMailer/PHPMailer.git",
"reference": "a8bf068f64a580302026e484ee29511f661b2ad3"
"reference": "c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/a8bf068f64a580302026e484ee29511f661b2ad3",
"reference": "a8bf068f64a580302026e484ee29511f661b2ad3",
"url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3",
"reference": "c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3",
"shasum": ""
},
"require": {
@ -831,7 +831,7 @@
}
],
"description": "PHPMailer is a full-featured email creation and transfer class for PHP",
"time": "2020-03-14T14:23:48+00:00"
"time": "2020-05-27T12:24:03+00:00"
},
{
"name": "psr/http-client",

View File

@ -808,17 +808,17 @@
},
{
"name": "phpmailer/phpmailer",
"version": "v6.1.5",
"version_normalized": "6.1.5.0",
"version": "v6.1.6",
"version_normalized": "6.1.6.0",
"source": {
"type": "git",
"url": "https://github.com/PHPMailer/PHPMailer.git",
"reference": "a8bf068f64a580302026e484ee29511f661b2ad3"
"reference": "c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3"
},
"dist": {
"type": "zip",
"url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/a8bf068f64a580302026e484ee29511f661b2ad3",
"reference": "a8bf068f64a580302026e484ee29511f661b2ad3",
"url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3",
"reference": "c2796cb1cb99d7717290b48c4e6f32cb6c60b7b3",
"shasum": ""
},
"require": {
@ -839,7 +839,7 @@
"stevenmaguire/oauth2-microsoft": "Needed for Microsoft XOAUTH2 authentication",
"symfony/polyfill-mbstring": "To support UTF-8 if the Mbstring PHP extension is not enabled (^1.2)"
},
"time": "2020-03-14T14:23:48+00:00",
"time": "2020-05-27T12:24:03+00:00",
"type": "library",
"installation-source": "dist",
"autoload": {

View File

@ -2,6 +2,8 @@
Please disclose any vulnerabilities found responsibly - report any security problems found to the maintainers privately.
PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs in `Content-Type` and `Content-Disposition` when filenames passed into `addAttachment` and other methods that accept attachment names contain double quote characters, in contravention of RFC822 3.4.1. No specific vulnerability has been found relating to this, but it could allow file attachments to bypass attachment filters that are based on matching filename extensions. Recorded as [CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). Reported by Elar Lang of Clarified Security.
PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing `phar://` paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded as [CVE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296). See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Sehun Oh of cyberone.kr.
PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through composer, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.

View File

@ -1 +1 @@
6.1.5
6.1.6

View File

@ -19,6 +19,12 @@
"name": "Brent R. Matzelle"
}
],
"funding": [
{
"url": "https://github.com/synchro",
"type": "github"
}
],
"require": {
"php": ">=5.5.0",
"ext-ctype": "*",

View File

@ -745,7 +745,7 @@ class PHPMailer
*
* @var string
*/
const VERSION = '6.1.5';
const VERSION = '6.1.6';
/**
* Error severity: message only, continue processing.
@ -2086,6 +2086,7 @@ class PHPMailer
'se' => 'sv',
'rs' => 'sr',
'tg' => 'tl',
'am' => 'hy',
];
if (isset($renamed_langcodes[$langcode])) {
@ -3063,9 +3064,9 @@ class PHPMailer
//Only include a filename property if we have one
if (!empty($name)) {
$mime[] = sprintf(
'Content-Type: %s; name="%s"%s',
'Content-Type: %s; name=%s%s',
$type,
$this->encodeHeader($this->secureHeader($name)),
static::quotedString($this->encodeHeader($this->secureHeader($name))),
static::$LE
);
} else {
@ -3085,24 +3086,14 @@ class PHPMailer
$mime[] = 'Content-ID: <' . $this->encodeHeader($this->secureHeader($cid)) . '>' . static::$LE;
}
// If a filename contains any of these chars, it should be quoted,
// but not otherwise: RFC2183 & RFC2045 5.1
// Fixes a warning in IETF's msglint MIME checker
// Allow for bypassing the Content-Disposition header totally
// Allow for bypassing the Content-Disposition header
if (!empty($disposition)) {
$encoded_name = $this->encodeHeader($this->secureHeader($name));
if (preg_match('/[ ()<>@,;:"\/\[\]?=]/', $encoded_name)) {
$mime[] = sprintf(
'Content-Disposition: %s; filename="%s"%s',
$disposition,
$encoded_name,
static::$LE . static::$LE
);
} elseif (!empty($encoded_name)) {
if (!empty($encoded_name)) {
$mime[] = sprintf(
'Content-Disposition: %s; filename=%s%s',
$disposition,
$encoded_name,
static::quotedString($encoded_name),
static::$LE . static::$LE
);
} else {
@ -3162,6 +3153,7 @@ class PHPMailer
if ($this->exceptions) {
throw $exc;
}
return '';
}
}
@ -4726,6 +4718,28 @@ class PHPMailer
return (bool) preg_match('/^(.{' . (self::MAX_LINE_LENGTH + strlen(static::$LE)) . ',})/m', $str);
}
/**
* If a string contains any "special" characters, double-quote the name,
* and escape any double quotes with a backslash.
*
* @param string $str
*
* @return string
*
* @see RFC822 3.4.1
*/
public static function quotedString($str)
{
if (preg_match('/[ ()<>@,;:"\/\[\]?=]/', $str)) {
//If the string contains any of these chars, it must be double-quoted
//and any double quotes must be escaped with a backslash
return '"' . str_replace('"', '\\"', $str) . '"';
}
//Return the string untouched, it doesn't need quoting
return $str;
}
/**
* Allows for public read access to 'to' property.
* Before the send() call, queued addresses (i.e. with IDN) are not yet included.

View File

@ -45,7 +45,7 @@ class POP3
*
* @var string
*/
const VERSION = '6.1.5';
const VERSION = '6.1.6';
/**
* Default POP3 port number.

View File

@ -34,7 +34,7 @@ class SMTP
*
* @var string
*/
const VERSION = '6.1.5';
const VERSION = '6.1.6';
/**
* SMTP line break constant.
@ -1168,7 +1168,7 @@ class SMTP
//Must pass vars in here as params are by reference
if (!stream_select($selR, $selW, $selW, $this->Timelimit)) {
$this->edebug(
'SMTP -> get_lines(): timed-out (' . $this->Timeout . ' sec)',
'SMTP -> get_lines(): select timed-out in (' . $this->Timelimit . ' sec)',
self::DEBUG_LOWLEVEL
);
break;
@ -1187,7 +1187,7 @@ class SMTP
$info = stream_get_meta_data($this->smtp_conn);
if ($info['timed_out']) {
$this->edebug(
'SMTP -> get_lines(): timed-out (' . $this->Timeout . ' sec)',
'SMTP -> get_lines(): stream timed-out (' . $this->Timeout . ' sec)',
self::DEBUG_LOWLEVEL
);
break;