Control: tags 905254 + patch Control: tags 905254 + pending Dear maintainer,
I've prepared an NMU for libphp-phpmailer (versioned as 6.0.6-0.1) and am about to uploaded it to DELAYED/15. Please feel free to tell me if I should delay it longer. I took the upstream file here: https://github.com/PHPMailer/PHPMailer/archive/v6.0.6.tar.gz Please find my changes to the debian packaging in the attached debdiff (without the upstream changes to avoid a huge debdiff). Regards. Paul Sent from the BSP in Venlo
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/changelog libphp-phpmailer-6.0.6/debian/changelog --- libphp-phpmailer-5.2.14+dfsg/debian/changelog 2018-12-01 15:09:47.000000000 +0100 +++ libphp-phpmailer-6.0.6/debian/changelog 2019-01-13 09:30:40.000000000 +0100 @@ -1,3 +1,11 @@ +libphp-phpmailer (6.0.6-0.1) unstable; urgency=medium + + * Non-maintainer upload. + * New upstream release (Closes: #905254) + * Drop patches, applied upstream + + -- Paul Gevers <[email protected]> Sun, 13 Jan 2019 09:30:40 +0100 + libphp-phpmailer (5.2.14+dfsg-2.4) unstable; urgency=medium * Non-maintainer upload. diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/docs libphp-phpmailer-6.0.6/debian/docs --- libphp-phpmailer-5.2.14+dfsg/debian/docs 2018-12-01 14:32:02.000000000 +0100 +++ libphp-phpmailer-6.0.6/debian/docs 2019-01-13 09:30:40.000000000 +0100 @@ -1,3 +1 @@ README.md -docs -test diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/install libphp-phpmailer-6.0.6/debian/install --- libphp-phpmailer-5.2.14+dfsg/debian/install 2018-12-01 14:32:02.000000000 +0100 +++ libphp-phpmailer-6.0.6/debian/install 2019-01-13 09:30:40.000000000 +0100 @@ -1,3 +1,3 @@ *.php usr/share/php/libphp-phpmailer -extras usr/share/php/libphp-phpmailer language usr/share/php/libphp-phpmailer +src usr/share/php/libphp-phpmailer diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0001-Fix-actual-autoloader-path.patch libphp-phpmailer-6.0.6/debian/patches/0001-Fix-actual-autoloader-path.patch --- libphp-phpmailer-5.2.14+dfsg/debian/patches/0001-Fix-actual-autoloader-path.patch 2018-12-01 14:32:02.000000000 +0100 +++ libphp-phpmailer-6.0.6/debian/patches/0001-Fix-actual-autoloader-path.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,267 +0,0 @@ -From: =?utf-8?q?David_Pr=C3=A9vot?= <[email protected]> -Date: Sun, 6 Dec 2015 18:55:47 -0400 -Subject: Fix actual autoloader path - -Forwarded: not-needed ---- - README.md | 2 +- - docs/extending.html | 4 ++-- - examples/code_generator.phps | 4 ++-- - examples/exceptions.phps | 2 +- - examples/gmail.phps | 2 +- - examples/gmail_xoauth.phps | 4 ++-- - examples/mail.phps | 2 +- - examples/mailing_list.phps | 2 +- - examples/pop_before_smtp.phps | 2 +- - examples/sendmail.phps | 2 +- - examples/signed-mail.phps | 2 +- - examples/smtp.phps | 2 +- - examples/smtp_check.phps | 2 +- - examples/smtp_no_auth.phps | 2 +- - examples/ssl_options.phps | 2 +- - get_oauth_token.php | 2 +- - test/bootstrap.php | 2 +- - 17 files changed, 20 insertions(+), 20 deletions(-) - -diff --git a/README.md b/README.md -index 0ecfa5d..16efef8 100644 ---- a/README.md -+++ b/README.md -@@ -68,7 +68,7 @@ While installing the entire package manually or with composer is simple, conveni - - ```php - <?php --require 'PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - $mail = new PHPMailer; - -diff --git a/docs/extending.html b/docs/extending.html -index 4466a1d..1f68963 100644 ---- a/docs/extending.html -+++ b/docs/extending.html -@@ -14,7 +14,7 @@ This demonstrates sending multiple email messages with binary attachments - from a MySQL database using multipart/alternative messages.<p> - - <pre> --require 'PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - $mail = new PHPMailer(); - -@@ -71,7 +71,7 @@ PHP include file: my_phpmailer.php - <p> - - <pre> --require 'PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - class my_phpmailer extends PHPMailer { - // Set default variables for all new objects -diff --git a/examples/code_generator.phps b/examples/code_generator.phps -index 2345856..5e26a25 100644 ---- a/examples/code_generator.phps -+++ b/examples/code_generator.phps -@@ -4,7 +4,7 @@ - * revised, updated and corrected 27/02/2013 - * by [email protected] - */ --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - $CFG['smtp_debug'] = 2; //0 == off, 1 for client output, 2 for client and server - $CFG['smtp_debugoutput'] = 'html'; -@@ -40,7 +40,7 @@ $results_messages = array(); - - // $example_code represents the "final code" that we're using, and will - // be shown to the user at the end. --$example_code = "\nrequire_once '../PHPMailerAutoload.php';"; -+$example_code = "\nrequire_once 'libphp-phpmailer/PHPMailerAutoload.php';"; - $example_code .= "\n\n\$results_messages = array();"; - - $mail = new PHPMailer(true); //PHPMailer instance with exceptions enabled -diff --git a/examples/exceptions.phps b/examples/exceptions.phps -index 0e941e7..97378b4 100644 ---- a/examples/exceptions.phps -+++ b/examples/exceptions.phps -@@ -3,7 +3,7 @@ - * This example shows how to make use of PHPMailer's exceptions for error handling. - */ - --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - //Create a new PHPMailer instance - //Passing true to the constructor enables the use of exceptions for error handling -diff --git a/examples/gmail.phps b/examples/gmail.phps -index b3cc02d..896a523 100644 ---- a/examples/gmail.phps -+++ b/examples/gmail.phps -@@ -7,7 +7,7 @@ - //This should be done in your php.ini, but this is how to do it if you don't have access to that - date_default_timezone_set('Etc/UTC'); - --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - //Create a new PHPMailer instance - $mail = new PHPMailer; -diff --git a/examples/gmail_xoauth.phps b/examples/gmail_xoauth.phps -index d64483a..78c6746 100644 ---- a/examples/gmail_xoauth.phps -+++ b/examples/gmail_xoauth.phps -@@ -7,11 +7,11 @@ - //This should be done in your php.ini, but this is how to do it if you don't have access to that - date_default_timezone_set('Etc/UTC'); - --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmaillibphp-phpmailer/PHPMailerAutoload.php'; - - //Load dependencies from composer - //If this causes an error, run 'composer install' --require '../vendor/autoload.php'; -+require 'libphp-phpmailer/autoload.php'; - - //Create a new PHPMailer instance - $mail = new PHPMailerOAuth; -diff --git a/examples/mail.phps b/examples/mail.phps -index 8e129f4..41fcf36 100644 ---- a/examples/mail.phps -+++ b/examples/mail.phps -@@ -3,7 +3,7 @@ - * This example shows sending a message using PHP's mail() function. - */ - --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - //Create a new PHPMailer instance - $mail = new PHPMailer; -diff --git a/examples/mailing_list.phps b/examples/mailing_list.phps -index 8644bb5..7f5245c 100644 ---- a/examples/mailing_list.phps -+++ b/examples/mailing_list.phps -@@ -4,7 +4,7 @@ error_reporting(E_STRICT | E_ALL); - - date_default_timezone_set('Etc/UTC'); - --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - $mail = new PHPMailer; - -diff --git a/examples/pop_before_smtp.phps b/examples/pop_before_smtp.phps -index 164dfe8..97314b5 100644 ---- a/examples/pop_before_smtp.phps -+++ b/examples/pop_before_smtp.phps -@@ -3,7 +3,7 @@ - * This example shows how to use POP-before-SMTP for authentication. - */ - --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - //Authenticate via POP3. - //After this you should be allowed to submit messages over SMTP for a while. -diff --git a/examples/sendmail.phps b/examples/sendmail.phps -index a830e49..0c157b6 100644 ---- a/examples/sendmail.phps -+++ b/examples/sendmail.phps -@@ -3,7 +3,7 @@ - * This example shows sending a message using a local sendmail binary. - */ - --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - //Create a new PHPMailer instance - $mail = new PHPMailer; -diff --git a/examples/signed-mail.phps b/examples/signed-mail.phps -index 9d70d01..1e8cf76 100644 ---- a/examples/signed-mail.phps -+++ b/examples/signed-mail.phps -@@ -44,7 +44,7 @@ - * STEP 3 - Code - */ - --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - //Create a new PHPMailer instance - $mail = new PHPMailer(); -diff --git a/examples/smtp.phps b/examples/smtp.phps -index 7c6b023..1eb09f7 100644 ---- a/examples/smtp.phps -+++ b/examples/smtp.phps -@@ -7,7 +7,7 @@ - //This should be done in your php.ini, but this is how to do it if you don't have access to that - date_default_timezone_set('Etc/UTC'); - --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - //Create a new PHPMailer instance - $mail = new PHPMailer; -diff --git a/examples/smtp_check.phps b/examples/smtp_check.phps -index c42ed0b..b3b80b9 100644 ---- a/examples/smtp_check.phps -+++ b/examples/smtp_check.phps -@@ -8,7 +8,7 @@ - //This should be done in your php.ini, but this is how to do it if you don't have access to that - date_default_timezone_set('Etc/UTC'); - --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - //Create a new SMTP instance - $smtp = new SMTP; -diff --git a/examples/smtp_no_auth.phps b/examples/smtp_no_auth.phps -index b590298..ab3306f 100644 ---- a/examples/smtp_no_auth.phps -+++ b/examples/smtp_no_auth.phps -@@ -7,7 +7,7 @@ - //This should be done in your php.ini, but this is how to do it if you don't have access to that - date_default_timezone_set('Etc/UTC'); - --require_once '../PHPMailerAutoload.php'; -+require_once 'libphp-phpmailer/PHPMailerAutoload.php'; - - //Create a new PHPMailer instance - $mail = new PHPMailer; -diff --git a/examples/ssl_options.phps b/examples/ssl_options.phps -index cc41495..58d4c07 100644 ---- a/examples/ssl_options.phps -+++ b/examples/ssl_options.phps -@@ -7,7 +7,7 @@ - //This should be done in your php.ini, but this is how to do it if you don't have access to that - date_default_timezone_set('Etc/UTC'); - --require '../PHPMailerAutoload.php'; -+require 'libphp-phpmailer/PHPMailerAutoload.php'; - - //Create a new PHPMailer instance - $mail = new PHPMailer; -diff --git a/get_oauth_token.php b/get_oauth_token.php -index 46eb28a..dcbe1a8 100644 ---- a/get_oauth_token.php -+++ b/get_oauth_token.php -@@ -13,7 +13,7 @@ - * PHP Version 5.4 - */ - --require 'vendor/autoload.php'; -+require 'libphp-phpmailer/autoload.php'; - - session_start(); - -diff --git a/test/bootstrap.php b/test/bootstrap.php -index 056c16d..50d12ba 100644 ---- a/test/bootstrap.php -+++ b/test/bootstrap.php -@@ -1,5 +1,5 @@ - <?php --require_once 'vendor/autoload.php'; -+require_once 'libphp-phpmailer/autoload.php'; - spl_autoload_register(function ($class) { - require_once strtr($class, '\\_', '//').'.php'; - }); diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch libphp-phpmailer-6.0.6/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch --- libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch 2018-12-01 14:32:02.000000000 +0100 +++ libphp-phpmailer-6.0.6/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,106 +0,0 @@ -diff -Nur libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php ---- libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php 2015-11-01 10:15:28.000000000 +0000 -+++ libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php 2017-01-02 14:20:47.484824213 +0000 -@@ -1329,19 +1329,24 @@ - */ - protected function sendmailSend($header, $body) - { -- if ($this->Sender != '') { -+ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. -+ if (!empty($this->Sender) and self::isShellSafe($this->Sender)) { - if ($this->Mailer == 'qmail') { -- $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); -+ $sendmailFmt = '%s -f%s'; - } else { -- $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); -+ $sendmailFmt = '%s -oi -f%s -t'; - } - } else { - if ($this->Mailer == 'qmail') { -- $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail)); -+ $sendmailFmt = '%s'; - } else { -- $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail)); -+ $sendmailFmt = '%s -oi -t'; - } - } -+ -+ // TODO: If possible, this should be changed to escapeshellarg. Needs thorough testing. -+ $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender); -+ - if ($this->SingleTo) { - foreach ($this->SingleToArray as $toAddr) { - if (!@$mail = popen($sendmail, 'w')) { -@@ -1388,6 +1393,38 @@ - } - - /** -+ * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters. -+ * -+ * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows. -+ * @param string $string The string to be validated -+ * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report -+ * @access protected -+ * @return boolean -+ */ -+ protected static function isShellSafe($string) -+ { -+ // Future-proof -+ if (escapeshellcmd($string) !== $string or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) { -+ return false; -+ } -+ -+ $length = strlen($string); -+ -+ for ($i = 0; $i < $length; $i++) { -+ $c = $string[$i]; -+ -+ // All other characters have a special meaning in at least one common shell, including = and +. -+ // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here. -+ // Note that this does permit non-Latin alphanumeric characters based on the current locale. -+ if (!ctype_alnum($c) && strpos('@_-.', $c) === false) { -+ return false; -+ } -+ } -+ -+ return true; -+ } -+ -+ /** - * Send mail using the PHP mail() function. - * @param string $header The message headers - * @param string $body The message body -@@ -1404,12 +1441,14 @@ - } - $to = implode(', ', $toArr); - -- if (empty($this->Sender)) { -- $params = ' '; -- } else { -- $params = sprintf('-f%s', $this->Sender); -+ $params = null; -+ if (!empty($this->Sender) and $this->validateAddress($this->Sender)) { -+ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. -+ if (self::isShellSafe($this->Sender)) { -+ $params = sprintf('-f%s', $this->Sender); -+ } - } -- if ($this->Sender != '' and !ini_get('safe_mode')) { -+ if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) { - $old_from = ini_get('sendmail_from'); - ini_set('sendmail_from', $this->Sender); - } -@@ -1463,10 +1502,10 @@ - if (!$this->smtpConnect($this->SMTPOptions)) { - throw new phpmailerException($this->lang('smtp_connect_failed'), self::STOP_CRITICAL); - } -- if ('' == $this->Sender) { -- $smtp_from = $this->From; -- } else { -+ if (!empty($this->Sender) and $this->validateAddress($this->Sender)) { - $smtp_from = $this->Sender; -+ } else { -+ $smtp_from = $this->From; - } - if (!$this->smtp->mail($smtp_from)) { - $this->setError($this->lang('from_failed') . $smtp_from . ' : ' . implode(',', $this->smtp->getError())); diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0003-CVE-2017-5223.patch libphp-phpmailer-6.0.6/debian/patches/0003-CVE-2017-5223.patch --- libphp-phpmailer-5.2.14+dfsg/debian/patches/0003-CVE-2017-5223.patch 2018-12-01 14:32:02.000000000 +0100 +++ libphp-phpmailer-6.0.6/debian/patches/0003-CVE-2017-5223.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,92 +0,0 @@ -From: Markus Koschany <[email protected]> -Date: Sat, 25 Feb 2017 19:00:40 +0100 -Subject: CVE-2017-5223 - -It was discovered that there was a local file disclosure vulnerability in -libphp-phpmailer, a email transfer class for PHP, where insufficient parsing of -HTML messages could potentially be used by attacker to read a local file. - -Bug-Debian: https://bugs.debian.org/853232 -Origin: https://github.com/PHPMailer/PHPMailer/commit/ad4cb09682682da2217799a0c521d4cdc6753402 ---- - class.phpmailer.php | 30 +++++++++++++++++++++++------- - 1 file changed, 23 insertions(+), 7 deletions(-) - -diff --git a/class.phpmailer.php b/class.phpmailer.php -index 8aa4752..5c43d1b 100644 ---- a/class.phpmailer.php -+++ b/class.phpmailer.php -@@ -2418,6 +2418,7 @@ class PHPMailer - - /** - * Add an attachment from a path on the filesystem. -+ * Never use a user-supplied path to a file! - * Returns false if the file could not be found or read. - * @param string $path Path to the attachment. - * @param string $name Overrides the attachment name. -@@ -2943,6 +2944,7 @@ class PHPMailer - * displayed inline with the message, not just attached for download. - * This is used in HTML messages that embed the images - * the HTML refers to using the $cid value. -+ * Never use a user-supplied path to a file! - * @param string $path Path to the attachment. - * @param string $cid Content ID of the attachment; Use this to reference - * the content when using an embedded image in HTML. -@@ -3306,10 +3308,14 @@ class PHPMailer - * Create a message from an HTML string. - * Automatically makes modifications for inline images and backgrounds - * and creates a plain-text version by converting the HTML. -- * Overwrites any existing values in $this->Body and $this->AltBody -+ * Overwrites any existing values in Body and AltBody -+ * Do not source $message content from user input! -+ * $basedir is prepended when handling relative URLs, e.g. <img src="/images/a.png"> and must not be empty -+ * If you don't provide a $basedir, relative paths will be left untouched (and thus probably break in email) -+ * If you don't want to apply these transformations to your HTML, just set Body and AltBody directly. - * @access public - * @param string $message HTML message string -- * @param string $basedir baseline directory for path -+ * @param string $basedir Absolute path to a base directory to prepend to relative paths to images - * @param boolean|callable $advanced Whether to use the internal HTML to text converter - * or your own custom converter @see PHPMailer::html2text() - * @return string $message -@@ -3318,6 +3324,10 @@ class PHPMailer - { - preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images); - if (array_key_exists(2, $images)) { -+ if (strlen($basedir) > 1 && substr($basedir, -1) != '/') { -+ // Ensure $basedir has a trailing / -+ $basedir .= '/'; -+ } - foreach ($images[2] as $imgindex => $url) { - // Convert data URIs into embedded images - if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) { -@@ -3335,18 +3345,24 @@ class PHPMailer - $message - ); - } -- } elseif (substr($url, 0, 4) !== 'cid:' && !preg_match('#^[A-z]+://#', $url)) { -- // Do not change urls for absolute images (thanks to corvuscorax) -+ continue; -+ } -+ if ( -+ // Only process relative URLs if a basedir is provided (i.e. no absolute local paths) -+ !empty($basedir) -+ // Ignore URLs containing parent dir traversal (..) -+ && (strpos($url, '..') === false) - // Do not change urls that are already inline images -+ && substr($url, 0, 4) !== 'cid:' -+ // Do not change absolute URLs, including anonymous protocol -+ && !preg_match('#^[a-z][a-z0-9+.-]*:?//#i', $url) -+ ) { - $filename = basename($url); - $directory = dirname($url); - if ($directory == '.') { - $directory = ''; - } - $cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2 -- if (strlen($basedir) > 1 && substr($basedir, -1) != '/') { -- $basedir .= '/'; -- } - if (strlen($directory) > 1 && substr($directory, -1) != '/') { - $directory .= '/'; - } diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch libphp-phpmailer-6.0.6/debian/patches/0004-CVE-2018-19296.patch --- libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch 2018-12-01 15:09:27.000000000 +0100 +++ libphp-phpmailer-6.0.6/debian/patches/0004-CVE-2018-19296.patch 1970-01-01 01:00:00.000000000 +0100 @@ -1,114 +0,0 @@ -From: Marcus Bointon <[email protected]> -Date: Thu, 15 Nov 2018 23:27:24 +0100 -Subject: Backport changes for CVE-2018-19296 -Origin: https://github.com/PHPMailer/PHPMailer/commit/f1231a9771505f4f34da060390d82eadb8448271 -Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19296 -Bug-Debian: https://bugs.debian.org/913912 - -[Salvatore Bonaccorso: Backport changes to 5.2.14: Check for permitted -path for $this->DKIM_private before checking if file_exists following -the logic applied for the upstream patch] ---- - class.phpmailer.php | 31 ++++++++++++++++++++++++------- - test/phpmailerTest.php | 16 ++++++++++++++++ - 2 files changed, 40 insertions(+), 7 deletions(-) - ---- a/class.phpmailer.php -+++ b/class.phpmailer.php -@@ -1263,6 +1263,7 @@ class PHPMailer - if (!empty($this->DKIM_domain) - && !empty($this->DKIM_private) - && !empty($this->DKIM_selector) -+ && self::isPermittedPath($this->DKIM_private) - && file_exists($this->DKIM_private)) { - $header_dkim = $this->DKIM_Add( - $this->MIMEHeader . $this->mailHeader, -@@ -1425,6 +1426,18 @@ class PHPMailer - } - - /** -+ * Check whether a file path is of a permitted type. -+ * Used to reject URLs and phar files from functions that access local file paths, -+ * such as addAttachment. -+ * @param string $path A relative or absolute path to a file. -+ * @return bool -+ */ -+ protected static function isPermittedPath($path) -+ { -+ return !preg_match('#^[a-z]+://#i', $path); -+ } -+ -+ /** - * Send mail using the PHP mail() function. - * @param string $header The message headers - * @param string $body The message body -@@ -1723,7 +1736,7 @@ class PHPMailer - // There is no English translation file - if ($langcode != 'en') { - // Make sure language file path is readable -- if (!is_readable($lang_file)) { -+ if (!self::isPermittedPath($lang_file) or !is_readable($lang_file)) { - $foundlang = false; - } else { - // Overwrite language-specific strings. -@@ -2420,6 +2433,8 @@ class PHPMailer - * Add an attachment from a path on the filesystem. - * Never use a user-supplied path to a file! - * Returns false if the file could not be found or read. -+ * Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client. -+ * If you need to do that, fetch the resource yourself and pass it in via a local file or string. - * @param string $path Path to the attachment. - * @param string $name Overrides the attachment name. - * @param string $encoding File encoding (see $Encoding). -@@ -2431,7 +2446,7 @@ class PHPMailer - public function addAttachment($path, $name = '', $encoding = 'base64', $type = '', $disposition = 'attachment') - { - try { -- if (!@is_file($path)) { -+ if (!self::isPermittedPath($path) or !@is_file($path)) { - throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE); - } - -@@ -2612,7 +2627,7 @@ class PHPMailer - protected function encodeFile($path, $encoding = 'base64') - { - try { -- if (!is_readable($path)) { -+ if (!self::isPermittedPath($path) or !file_exists($path)) { - throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE); - } - $magic_quotes = get_magic_quotes_runtime(); -@@ -2956,7 +2971,7 @@ class PHPMailer - */ - public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline') - { -- if (!@is_file($path)) { -+ if (!self::isPermittedPath($path) or !@is_file($path)) { - $this->setError($this->lang('file_access') . $path); - return false; - } ---- a/test/phpmailerTest.php -+++ b/test/phpmailerTest.php -@@ -740,6 +740,22 @@ class PHPMailerTest extends PHPUnit_Fram - } - - /** -+ * Rejection of non-local file attachments test. -+ */ -+ public function testRejectNonLocalFileAttachment() -+ { -+ $this->assertFalse( -+ $this->Mail->addAttachment('https://github.com/PHPMailer/PHPMailer/raw/master/README.md'), -+ 'addAttachment should reject remote URLs' -+ ); -+ -+ $this->assertFalse( -+ $this->Mail->addAttachment('phar://phar.php'), -+ 'addAttachment should reject phar resources' -+ ); -+ } -+ -+ /** - * Simple plain string attachment test. - */ - public function testPlainStringAttachment() diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/series libphp-phpmailer-6.0.6/debian/patches/series --- libphp-phpmailer-5.2.14+dfsg/debian/patches/series 2018-12-01 14:57:11.000000000 +0100 +++ libphp-phpmailer-6.0.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 @@ -1,4 +0,0 @@ -0001-Fix-actual-autoloader-path.patch -0002-Fix-CVE-2016-10033-CVE-2016-10045.patch -0003-CVE-2017-5223.patch -0004-CVE-2018-19296.patch diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/rules libphp-phpmailer-6.0.6/debian/rules --- libphp-phpmailer-5.2.14+dfsg/debian/rules 2018-12-01 14:32:02.000000000 +0100 +++ libphp-phpmailer-6.0.6/debian/rules 2019-01-13 09:30:40.000000000 +0100 @@ -1,6 +1,6 @@ #!/usr/bin/make -f %: - dh $@ --with phpcomposer -Xextras/README.md -Xgeneratedocs.sh + dh $@ --with phpcomposer override_dh_auto_build: phpab \ @@ -9,9 +9,5 @@ --exclude '*/.pc/*' \ . -override_dh_installdocs: - dh_installdocs - install extras/README.md debian/libphp-phpmailer/usr/share/doc/libphp-phpmailer/README-extras.md - get-orig-source: uscan --rename --verbose --force
signature.asc
Description: OpenPGP digital signature
