Awight has submitted this change and it was merged. (
https://gerrit.wikimedia.org/r/329541 )
Change subject: Update PHPMailer
......................................................................
Update PHPMailer
Bug: T154209
Change-Id: I761c51473e7dde1faff1b1fc181300bba594dc49
---
M composer/installed.json
M phpmailer/phpmailer/VERSION
M phpmailer/phpmailer/class.phpmailer.php
M phpmailer/phpmailer/class.phpmaileroauthgoogle.php
M phpmailer/phpmailer/class.pop3.php
M phpmailer/phpmailer/class.smtp.php
M phpmailer/phpmailer/extras/htmlfilter.php
M phpmailer/phpmailer/get_oauth_token.php
8 files changed, 68 insertions(+), 26 deletions(-)
Approvals:
Awight: Verified; Looks good to me, approved
diff --git a/composer/installed.json b/composer/installed.json
index 02ab9f6..fe0c886 100644
--- a/composer/installed.json
+++ b/composer/installed.json
@@ -1225,17 +1225,17 @@
},
{
"name": "phpmailer/phpmailer",
- "version": "v5.2.19",
- "version_normalized": "5.2.19.0",
+ "version": "v5.2.21",
+ "version_normalized": "5.2.21.0",
"source": {
"type": "git",
"url": "https://github.com/PHPMailer/PHPMailer.git";,
- "reference": "9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9"
+ "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e"
},
"dist": {
"type": "zip",
- "url":
"https://api.github.com/repos/PHPMailer/PHPMailer/zipball/9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9";,
- "reference": "9e4b8fb3deb7d9cfa515c04cec41f71bc37ce9a9",
+ "url":
"https://api.github.com/repos/PHPMailer/PHPMailer/zipball/1d51856b76c06fc687fcd9180efa7a0bed0d761e";,
+ "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e",
"shasum": ""
},
"require": {
@@ -1248,7 +1248,7 @@
"suggest": {
"league/oauth2-google": "Needed for Google XOAUTH2 authentication"
},
- "time": "2016-12-26 10:09:10",
+ "time": "2016-12-28 15:35:48",
"type": "library",
"installation-source": "dist",
"autoload": {
diff --git a/phpmailer/phpmailer/VERSION b/phpmailer/phpmailer/VERSION
index 1c26b6f..567eefa 100644
--- a/phpmailer/phpmailer/VERSION
+++ b/phpmailer/phpmailer/VERSION
@@ -1 +1 @@
-5.2.19
\ No newline at end of file
+5.2.21
diff --git a/phpmailer/phpmailer/class.phpmailer.php
b/phpmailer/phpmailer/class.phpmailer.php
index 6afcf9a..8ff13f1 100644
--- a/phpmailer/phpmailer/class.phpmailer.php
+++ b/phpmailer/phpmailer/class.phpmailer.php
@@ -31,7 +31,7 @@
* The PHPMailer Version number.
* @var string
*/
- public $Version = '5.2.19';
+ public $Version = '5.2.21';
/**
* Email priority.
@@ -1364,19 +1364,24 @@
*/
protected function sendmailSend($header, $body)
{
- if (!empty($this->Sender)) {
+ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be
escaped.
+ if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
if ($this->Mailer == 'qmail') {
- $sendmail = sprintf('%s -f%s',
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
+ $sendmailFmt = '%s -f%s';
} else {
- $sendmail = sprintf('%s -oi -f%s -t',
escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
+ $sendmailFmt = '%s -oi -f%s -t';
}
} else {
if ($this->Mailer == 'qmail') {
- $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
+ $sendmailFmt = '%s';
} else {
- $sendmail = sprintf('%s -oi -t',
escapeshellcmd($this->Sendmail));
+ $sendmailFmt = '%s -oi -t';
}
}
+
+ // TODO: If possible, this should be changed to escapeshellarg. Needs
thorough testing.
+ $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail),
$this->Sender);
+
if ($this->SingleTo) {
foreach ($this->SingleToArray as $toAddr) {
if (!@$mail = popen($sendmail, 'w')) {
@@ -1423,6 +1428,40 @@
}
/**
+ * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe
shell characters.
+ *
+ * Note that escapeshellarg and escapeshellcmd are inadequate for our
purposes, especially on Windows.
+ * @param string $string The string to be validated
+ * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045
bug report
+ * @access protected
+ * @return boolean
+ */
+ protected static function isShellSafe($string)
+ {
+ // Future-proof
+ if (escapeshellcmd($string) !== $string
+ or !in_array(escapeshellarg($string), array("'$string'",
"\"$string\""))
+ ) {
+ return false;
+ }
+
+ $length = strlen($string);
+
+ for ($i = 0; $i < $length; $i++) {
+ $c = $string[$i];
+
+ // All other characters have a special meaning in at least one
common shell, including = and +.
+ // Full stop (.) has a special meaning in cmd.exe, but its impact
should be negligible here.
+ // Note that this does permit non-Latin alphanumeric characters
based on the current locale.
+ if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
+ return false;
+ }
+ }
+
+ return true;
+ }
+
+ /**
* Send mail using the PHP mail() function.
* @param string $header The message headers
* @param string $body The message body
@@ -1442,7 +1481,10 @@
$params = null;
//This sets the SMTP envelope sender which gets turned into a
return-path header by the receiver
if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
- $params = sprintf('-f%s', escapeshellarg($this->Sender));
+ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters
will be escaped.
+ if (self::isShellSafe($this->Sender)) {
+ $params = sprintf('-f%s', $this->Sender);
+ }
}
if (!empty($this->Sender) and !ini_get('safe_mode') and
$this->validateAddress($this->Sender)) {
$old_from = ini_get('sendmail_from');
diff --git a/phpmailer/phpmailer/class.phpmaileroauthgoogle.php
b/phpmailer/phpmailer/class.phpmaileroauthgoogle.php
index 8d169b2..71c9bd3 100644
--- a/phpmailer/phpmailer/class.phpmaileroauthgoogle.php
+++ b/phpmailer/phpmailer/class.phpmaileroauthgoogle.php
@@ -51,10 +51,10 @@
private function getProvider()
{
- return new League\OAuth2\Client\Provider\Google(array(
+ return new League\OAuth2\Client\Provider\Google([
'clientId' => $this->oauthClientId,
'clientSecret' => $this->oauthClientSecret
- ));
+ ]);
}
private function getGrant()
@@ -66,7 +66,7 @@
{
$provider = $this->getProvider();
$grant = $this->getGrant();
- return $provider->getAccessToken($grant, array('refresh_token' =>
$this->oauthRefreshToken));
+ return $provider->getAccessToken($grant, ['refresh_token' =>
$this->oauthRefreshToken]);
}
public function getOauth64()
diff --git a/phpmailer/phpmailer/class.pop3.php
b/phpmailer/phpmailer/class.pop3.php
index 32d614b..373c886 100644
--- a/phpmailer/phpmailer/class.pop3.php
+++ b/phpmailer/phpmailer/class.pop3.php
@@ -34,7 +34,7 @@
* @var string
* @access public
*/
- public $Version = '5.2.19';
+ public $Version = '5.2.21';
/**
* Default POP3 port number.
diff --git a/phpmailer/phpmailer/class.smtp.php
b/phpmailer/phpmailer/class.smtp.php
index 04ced65..270162b 100644
--- a/phpmailer/phpmailer/class.smtp.php
+++ b/phpmailer/phpmailer/class.smtp.php
@@ -30,7 +30,7 @@
* The PHPMailer SMTP version number.
* @var string
*/
- const VERSION = '5.2.19';
+ const VERSION = '5.2.21';
/**
* SMTP line break constant.
@@ -81,7 +81,7 @@
* @deprecated Use the `VERSION` constant instead
* @see SMTP::VERSION
*/
- public $Version = '5.2.19';
+ public $Version = '5.2.21';
/**
* SMTP server port number.
diff --git a/phpmailer/phpmailer/extras/htmlfilter.php
b/phpmailer/phpmailer/extras/htmlfilter.php
index e9ce434..7727487 100644
--- a/phpmailer/phpmailer/extras/htmlfilter.php
+++ b/phpmailer/phpmailer/extras/htmlfilter.php
@@ -772,7 +772,7 @@
tln_defang($contentTemp);
tln_unspace($contentTemp);
- $match = array('/\/\*.*\*\//',
+ $match = Array('/\/\*.*\*\//',
'/expression/i',
'/behaviou*r/i',
'/binding/i',
@@ -780,7 +780,7 @@
'/javascript/i',
'/script/i',
'/position/i');
- $replace = array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy',
'idiocy', '');
+ $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy',
'idiocy', '');
$contentNew = preg_replace($match, $replace, $contentTemp);
if ($contentNew !== $contentTemp) {
$content = $contentNew;
diff --git a/phpmailer/phpmailer/get_oauth_token.php
b/phpmailer/phpmailer/get_oauth_token.php
index b95d5c4..2c26d0f 100644
--- a/phpmailer/phpmailer/get_oauth_token.php
+++ b/phpmailer/phpmailer/get_oauth_token.php
@@ -80,24 +80,24 @@
$params = array_merge(
parent::getAuthorizationParameters($options),
- array_filter(array(
+ array_filter([
'hd' => $this->hostedDomain,
'access_type' => $this->accessType,
'scope' => $this->scope,
// if the user is logged in with more than one account ask
which one to use for the login!
'authuser' => '-1'
- ))
+ ])
);
return $params;
}
protected function getDefaultScopes()
{
- return array(
+ return [
'email',
'openid',
'profile',
- );
+ ];
}
protected function getScopeSeparator()
--
To view, visit https://gerrit.wikimedia.org/r/329541
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I761c51473e7dde1faff1b1fc181300bba594dc49
Gerrit-PatchSet: 1
Gerrit-Project: wikimedia/fundraising/crm/vendor
Gerrit-Branch: master
Gerrit-Owner: Awight <awi...@wikimedia.org>
Gerrit-Reviewer: Awight <awi...@wikimedia.org>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
