Awight has submitted this change and it was merged. ( https://gerrit.wikimedia.org/r/329541 )
Change subject: Update PHPMailer ...................................................................... Update PHPMailer Bug: T154209 Change-Id: I761c51473e7dde1faff1b1fc181300bba594dc49 --- M composer/installed.json M phpmailer/phpmailer/VERSION M phpmailer/phpmailer/class.phpmailer.php M phpmailer/phpmailer/class.phpmaileroauthgoogle.php M phpmailer/phpmailer/class.pop3.php M phpmailer/phpmailer/class.smtp.php M phpmailer/phpmailer/extras/htmlfilter.php M phpmailer/phpmailer/get_oauth_token.php 8 files changed, 68 insertions(+), 26 deletions(-) Approvals: Awight: Verified; Looks good to me, approved diff --git a/composer/installed.json b/composer/installed.json index 02ab9f6..fe0c886 100644 --- a/composer/installed.json +++ b/composer/installed.json @@ -1225,17 +1225,17 @@ }, { "name": "phpmailer/phpmailer", - "version": "v5.2.19", - "version_normalized": "5.2.19.0", + "version": "v5.2.21", + "version_normalized": "5.2.21.0", "source": { "type": "git", "url": "https://github.com/PHPMailer/PHPMailer.git", - "reference": "9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9" + "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9", - "reference": "9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9", + "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/1d51856b76c06fc687fcd9180efa7a0bed0d761e", + "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e", "shasum": "" }, "require": { @@ -1248,7 +1248,7 @@ "suggest": { "league/oauth2-google": "Needed for Google XOAUTH2 authentication" }, - "time": "2016-12-26 10:09:10", + "time": "2016-12-28 15:35:48", "type": "library", "installation-source": "dist", "autoload": { diff --git a/phpmailer/phpmailer/VERSION b/phpmailer/phpmailer/VERSION index 1c26b6f..567eefa 100644 --- a/phpmailer/phpmailer/VERSION +++ b/phpmailer/phpmailer/VERSION @@ -1 +1 @@ -5.2.19 \ No newline at end of file +5.2.21 diff --git a/phpmailer/phpmailer/class.phpmailer.php b/phpmailer/phpmailer/class.phpmailer.php index 6afcf9a..8ff13f1 100644 --- a/phpmailer/phpmailer/class.phpmailer.php +++ b/phpmailer/phpmailer/class.phpmailer.php @@ -31,7 +31,7 @@ * The PHPMailer Version number. * @var string */ - public $Version = '5.2.19'; + public $Version = '5.2.21'; /** * Email priority. @@ -1364,19 +1364,24 @@ */ protected function sendmailSend($header, $body) { - if (!empty($this->Sender)) { + // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. + if (!empty($this->Sender) and self::isShellSafe($this->Sender)) { if ($this->Mailer == 'qmail') { - $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); + $sendmailFmt = '%s -f%s'; } else { - $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender)); + $sendmailFmt = '%s -oi -f%s -t'; } } else { if ($this->Mailer == 'qmail') { - $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail)); + $sendmailFmt = '%s'; } else { - $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail)); + $sendmailFmt = '%s -oi -t'; } } + + // TODO: If possible, this should be changed to escapeshellarg. Needs thorough testing. + $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender); + if ($this->SingleTo) { foreach ($this->SingleToArray as $toAddr) { if (!@$mail = popen($sendmail, 'w')) { @@ -1423,6 +1428,40 @@ } /** + * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters. + * + * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows. + * @param string $string The string to be validated + * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report + * @access protected + * @return boolean + */ + protected static function isShellSafe($string) + { + // Future-proof + if (escapeshellcmd($string) !== $string + or !in_array(escapeshellarg($string), array("'$string'", "\"$string\"")) + ) { + return false; + } + + $length = strlen($string); + + for ($i = 0; $i < $length; $i++) { + $c = $string[$i]; + + // All other characters have a special meaning in at least one common shell, including = and +. + // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here. + // Note that this does permit non-Latin alphanumeric characters based on the current locale. + if (!ctype_alnum($c) && strpos('@_-.', $c) === false) { + return false; + } + } + + return true; + } + + /** * Send mail using the PHP mail() function. * @param string $header The message headers * @param string $body The message body @@ -1442,7 +1481,10 @@ $params = null; //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver if (!empty($this->Sender) and $this->validateAddress($this->Sender)) { - $params = sprintf('-f%s', escapeshellarg($this->Sender)); + // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. + if (self::isShellSafe($this->Sender)) { + $params = sprintf('-f%s', $this->Sender); + } } if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) { $old_from = ini_get('sendmail_from'); diff --git a/phpmailer/phpmailer/class.phpmaileroauthgoogle.php b/phpmailer/phpmailer/class.phpmaileroauthgoogle.php index 8d169b2..71c9bd3 100644 --- a/phpmailer/phpmailer/class.phpmaileroauthgoogle.php +++ b/phpmailer/phpmailer/class.phpmaileroauthgoogle.php @@ -51,10 +51,10 @@ private function getProvider() { - return new League\OAuth2\Client\Provider\Google(array( + return new League\OAuth2\Client\Provider\Google([ 'clientId' => $this->oauthClientId, 'clientSecret' => $this->oauthClientSecret - )); + ]); } private function getGrant() @@ -66,7 +66,7 @@ { $provider = $this->getProvider(); $grant = $this->getGrant(); - return $provider->getAccessToken($grant, array('refresh_token' => $this->oauthRefreshToken)); + return $provider->getAccessToken($grant, ['refresh_token' => $this->oauthRefreshToken]); } public function getOauth64() diff --git a/phpmailer/phpmailer/class.pop3.php b/phpmailer/phpmailer/class.pop3.php index 32d614b..373c886 100644 --- a/phpmailer/phpmailer/class.pop3.php +++ b/phpmailer/phpmailer/class.pop3.php @@ -34,7 +34,7 @@ * @var string * @access public */ - public $Version = '5.2.19'; + public $Version = '5.2.21'; /** * Default POP3 port number. diff --git a/phpmailer/phpmailer/class.smtp.php b/phpmailer/phpmailer/class.smtp.php index 04ced65..270162b 100644 --- a/phpmailer/phpmailer/class.smtp.php +++ b/phpmailer/phpmailer/class.smtp.php @@ -30,7 +30,7 @@ * The PHPMailer SMTP version number. * @var string */ - const VERSION = '5.2.19'; + const VERSION = '5.2.21'; /** * SMTP line break constant. @@ -81,7 +81,7 @@ * @deprecated Use the `VERSION` constant instead * @see SMTP::VERSION */ - public $Version = '5.2.19'; + public $Version = '5.2.21'; /** * SMTP server port number. diff --git a/phpmailer/phpmailer/extras/htmlfilter.php b/phpmailer/phpmailer/extras/htmlfilter.php index e9ce434..7727487 100644 --- a/phpmailer/phpmailer/extras/htmlfilter.php +++ b/phpmailer/phpmailer/extras/htmlfilter.php @@ -772,7 +772,7 @@ tln_defang($contentTemp); tln_unspace($contentTemp); - $match = array('/\/\*.*\*\//', + $match = Array('/\/\*.*\*\//', '/expression/i', '/behaviou*r/i', '/binding/i', @@ -780,7 +780,7 @@ '/javascript/i', '/script/i', '/position/i'); - $replace = array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', ''); + $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', ''); $contentNew = preg_replace($match, $replace, $contentTemp); if ($contentNew !== $contentTemp) { $content = $contentNew; diff --git a/phpmailer/phpmailer/get_oauth_token.php b/phpmailer/phpmailer/get_oauth_token.php index b95d5c4..2c26d0f 100644 --- a/phpmailer/phpmailer/get_oauth_token.php +++ b/phpmailer/phpmailer/get_oauth_token.php @@ -80,24 +80,24 @@ $params = array_merge( parent::getAuthorizationParameters($options), - array_filter(array( + array_filter([ 'hd' => $this->hostedDomain, 'access_type' => $this->accessType, 'scope' => $this->scope, // if the user is logged in with more than one account ask which one to use for the login! 'authuser' => '-1' - )) + ]) ); return $params; } protected function getDefaultScopes() { - return array( + return [ 'email', 'openid', 'profile', - ); + ]; } protected function getScopeSeparator() -- To view, visit https://gerrit.wikimedia.org/r/329541 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I761c51473e7dde1faff1b1fc181300bba594dc49 Gerrit-PatchSet: 1 Gerrit-Project: wikimedia/fundraising/crm/vendor Gerrit-Branch: master Gerrit-Owner: Awight <awi...@wikimedia.org> Gerrit-Reviewer: Awight <awi...@wikimedia.org> Gerrit-Reviewer: jenkins-bot <> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits