Ejegg has uploaded a new change for review. ( https://gerrit.wikimedia.org/r/337960 )
Change subject: Update PHPMailer ...................................................................... Update PHPMailer Change-Id: I57f02bc76164dcd78d4b937bcddfd828ef2b4634 --- M composer/installed.json M phpmailer/phpmailer/VERSION M phpmailer/phpmailer/class.phpmailer.php M phpmailer/phpmailer/class.phpmaileroauthgoogle.php M phpmailer/phpmailer/class.pop3.php M phpmailer/phpmailer/class.smtp.php A phpmailer/phpmailer/examples/contactform.phps M phpmailer/phpmailer/examples/contentsutf8.html M phpmailer/phpmailer/examples/scripts/XRegExp.js M phpmailer/phpmailer/examples/send_file_upload.phps M phpmailer/phpmailer/examples/send_multiple_file_upload.phps M phpmailer/phpmailer/extras/htmlfilter.php M phpmailer/phpmailer/get_oauth_token.php 13 files changed, 174 insertions(+), 88 deletions(-) git pull ssh://gerrit.wikimedia.org:29418/wikimedia/fundraising/crm/vendor refs/changes/60/337960/1 diff --git a/composer/installed.json b/composer/installed.json index 13bee3b..4dd1b02 100644 --- a/composer/installed.json +++ b/composer/installed.json @@ -566,68 +566,6 @@ ] }, { - "name": "phpmailer/phpmailer", - "version": "v5.2.21", - "version_normalized": "5.2.21.0", - "source": { - "type": "git", - "url": "https://github.com/PHPMailer/PHPMailer.git", - "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e" - }, - "dist": { - "type": "zip", - "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/1d51856b76c06fc687fcd9180efa7a0bed0d761e", - "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e", - "shasum": "" - }, - "require": { - "php": ">=5.0.0" - }, - "require-dev": { - "phpdocumentor/phpdocumentor": "*", - "phpunit/phpunit": "4.7.*" - }, - "suggest": { - "league/oauth2-google": "Needed for Google XOAUTH2 authentication" - }, - "time": "2016-12-28 15:35:48", - "type": "library", - "installation-source": "dist", - "autoload": { - "classmap": [ - "class.phpmailer.php", - "class.phpmaileroauth.php", - "class.phpmaileroauthgoogle.php", - "class.smtp.php", - "class.pop3.php", - "extras/EasyPeasyICS.php", - "extras/ntlm_sasl_client.php" - ] - }, - "notification-url": "https://packagist.org/downloads/", - "license": [ - "LGPL-2.1" - ], - "authors": [ - { - "name": "Jim Jagielski", - "email": "jim...@gmail.com" - }, - { - "name": "Marcus Bointon", - "email": "phpmai...@synchromedia.co.uk" - }, - { - "name": "Andy Prevost", - "email": "codeworxt...@users.sourceforge.net" - }, - { - "name": "Brent R. Matzelle" - } - ], - "description": "PHPMailer is a full-featured email creation and transfer class for PHP" - }, - { "name": "minfraud/http", "version": "v1.71", "version_normalized": "1.71.0.0", @@ -1238,5 +1176,67 @@ "donations", "payments" ] + }, + { + "name": "phpmailer/phpmailer", + "version": "v5.2.22", + "version_normalized": "5.2.22.0", + "source": { + "type": "git", + "url": "https://github.com/PHPMailer/PHPMailer.git", + "reference": "b18cb98131bd83103ccb26a888fdfe3177b8a663" + }, + "dist": { + "type": "zip", + "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/b18cb98131bd83103ccb26a888fdfe3177b8a663", + "reference": "b18cb98131bd83103ccb26a888fdfe3177b8a663", + "shasum": "" + }, + "require": { + "php": ">=5.0.0" + }, + "require-dev": { + "phpdocumentor/phpdocumentor": "*", + "phpunit/phpunit": "4.7.*" + }, + "suggest": { + "league/oauth2-google": "Needed for Google XOAUTH2 authentication" + }, + "time": "2017-01-09 09:33:47", + "type": "library", + "installation-source": "dist", + "autoload": { + "classmap": [ + "class.phpmailer.php", + "class.phpmaileroauth.php", + "class.phpmaileroauthgoogle.php", + "class.smtp.php", + "class.pop3.php", + "extras/EasyPeasyICS.php", + "extras/ntlm_sasl_client.php" + ] + }, + "notification-url": "https://packagist.org/downloads/", + "license": [ + "LGPL-2.1" + ], + "authors": [ + { + "name": "Jim Jagielski", + "email": "jim...@gmail.com" + }, + { + "name": "Marcus Bointon", + "email": "phpmai...@synchromedia.co.uk" + }, + { + "name": "Andy Prevost", + "email": "codeworxt...@users.sourceforge.net" + }, + { + "name": "Brent R. Matzelle" + } + ], + "description": "PHPMailer is a full-featured email creation and transfer class for PHP" } ] diff --git a/phpmailer/phpmailer/VERSION b/phpmailer/phpmailer/VERSION index 567eefa..07b2657 100644 --- a/phpmailer/phpmailer/VERSION +++ b/phpmailer/phpmailer/VERSION @@ -1 +1 @@ -5.2.21 +5.2.22 diff --git a/phpmailer/phpmailer/class.phpmailer.php b/phpmailer/phpmailer/class.phpmailer.php index 8ff13f1..477ee82 100644 --- a/phpmailer/phpmailer/class.phpmailer.php +++ b/phpmailer/phpmailer/class.phpmailer.php @@ -31,7 +31,7 @@ * The PHPMailer Version number. * @var string */ - public $Version = '5.2.21'; + public $Version = '5.2.22'; /** * Email priority. @@ -2492,6 +2492,7 @@ /** * Add an attachment from a path on the filesystem. + * Never use a user-supplied path to a file! * Returns false if the file could not be found or read. * @param string $path Path to the attachment. * @param string $name Overrides the attachment name. @@ -3017,6 +3018,7 @@ * displayed inline with the message, not just attached for download. * This is used in HTML messages that embed the images * the HTML refers to using the $cid value. + * Never use a user-supplied path to a file! * @param string $path Path to the attachment. * @param string $cid Content ID of the attachment; Use this to reference * the content when using an embedded image in HTML. @@ -3380,12 +3382,14 @@ * Create a message body from an HTML string. * Automatically inlines images and creates a plain-text version by converting the HTML, * overwriting any existing values in Body and AltBody. - * $basedir is used when handling relative image paths, e.g. <img src="images/a.png"> + * Do not source $message content from user input! + * $basedir is prepended when handling relative URLs, e.g. <img src="/images/a.png"> and must not be empty * will look for an image file in $basedir/images/a.png and convert it to inline. - * If you don't want to apply these transformations to your HTML, just set Body and AltBody yourself. + * If you don't provide a $basedir, relative paths will be left untouched (and thus probably break in email) + * If you don't want to apply these transformations to your HTML, just set Body and AltBody directly. * @access public * @param string $message HTML message string - * @param string $basedir base directory for relative paths to images + * @param string $basedir Absolute path to a base directory to prepend to relative paths to images * @param boolean|callable $advanced Whether to use the internal HTML to text converter * or your own custom converter @see PHPMailer::html2text() * @return string $message The transformed message Body @@ -3394,6 +3398,10 @@ { preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images); if (array_key_exists(2, $images)) { + if (strlen($basedir) > 1 && substr($basedir, -1) != '/') { + // Ensure $basedir has a trailing / + $basedir .= '/'; + } foreach ($images[2] as $imgindex => $url) { // Convert data URIs into embedded images if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) { @@ -3411,18 +3419,24 @@ $message ); } - } elseif (substr($url, 0, 4) !== 'cid:' && !preg_match('#^[a-z][a-z0-9+.-]*://#i', $url)) { - // Do not change urls for absolute images (thanks to corvuscorax) + continue; + } + if ( + // Only process relative URLs if a basedir is provided (i.e. no absolute local paths) + !empty($basedir) + // Ignore URLs containing parent dir traversal (..) + && (strpos($url, '..') === false) // Do not change urls that are already inline images + && substr($url, 0, 4) !== 'cid:' + // Do not change absolute URLs, including anonymous protocol + && !preg_match('#^[a-z][a-z0-9+.-]*:?//#i', $url) + ) { $filename = basename($url); $directory = dirname($url); if ($directory == '.') { $directory = ''; } $cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2 - if (strlen($basedir) > 1 && substr($basedir, -1) != '/') { - $basedir .= '/'; - } if (strlen($directory) > 1 && substr($directory, -1) != '/') { $directory .= '/'; } diff --git a/phpmailer/phpmailer/class.phpmaileroauthgoogle.php b/phpmailer/phpmailer/class.phpmaileroauthgoogle.php index 8d169b2..71c9bd3 100644 --- a/phpmailer/phpmailer/class.phpmaileroauthgoogle.php +++ b/phpmailer/phpmailer/class.phpmaileroauthgoogle.php @@ -51,10 +51,10 @@ private function getProvider() { - return new League\OAuth2\Client\Provider\Google(array( + return new League\OAuth2\Client\Provider\Google([ 'clientId' => $this->oauthClientId, 'clientSecret' => $this->oauthClientSecret - )); + ]); } private function getGrant() @@ -66,7 +66,7 @@ { $provider = $this->getProvider(); $grant = $this->getGrant(); - return $provider->getAccessToken($grant, array('refresh_token' => $this->oauthRefreshToken)); + return $provider->getAccessToken($grant, ['refresh_token' => $this->oauthRefreshToken]); } public function getOauth64() diff --git a/phpmailer/phpmailer/class.pop3.php b/phpmailer/phpmailer/class.pop3.php index 373c886..f10e688 100644 --- a/phpmailer/phpmailer/class.pop3.php +++ b/phpmailer/phpmailer/class.pop3.php @@ -34,7 +34,7 @@ * @var string * @access public */ - public $Version = '5.2.21'; + public $Version = '5.2.22'; /** * Default POP3 port number. diff --git a/phpmailer/phpmailer/class.smtp.php b/phpmailer/phpmailer/class.smtp.php index 270162b..8932117 100644 --- a/phpmailer/phpmailer/class.smtp.php +++ b/phpmailer/phpmailer/class.smtp.php @@ -30,7 +30,7 @@ * The PHPMailer SMTP version number. * @var string */ - const VERSION = '5.2.21'; + const VERSION = '5.2.22'; /** * SMTP line break constant. @@ -81,7 +81,7 @@ * @deprecated Use the `VERSION` constant instead * @see SMTP::VERSION */ - public $Version = '5.2.21'; + public $Version = '5.2.22'; /** * SMTP server port number. diff --git a/phpmailer/phpmailer/examples/contactform.phps b/phpmailer/phpmailer/examples/contactform.phps new file mode 100644 index 0000000..d85e204 --- /dev/null +++ b/phpmailer/phpmailer/examples/contactform.phps @@ -0,0 +1,71 @@ +<?php +/** + * This example shows how to handle a simple contact form. + */ + +$msg = ''; +//Don't run this unless we're handling a form submission +if (array_key_exists('email', $_POST)) { + date_default_timezone_set('Etc/UTC'); + + require '../PHPMailerAutoload.php'; + + //Create a new PHPMailer instance + $mail = new PHPMailer; + //Tell PHPMailer to use SMTP - requires a local mail server + //Faster and safer than using mail() + $mail->isSMTP(); + $mail->Host = 'localhost'; + $mail->Port = 25; + + //Use a fixed address in your own domain as the from address + //**DO NOT** use the submitter's address here as it will be forgery + //and will cause your messages to fail SPF checks + $mail->setFrom('f...@example.com', 'First Last'); + //Send the message to yourself, or whoever should receive contact for submissions + $mail->addAddress('wh...@example.com', 'John Doe'); + //Put the submitter's address in a reply-to header + //This will fail if the address provided is invalid, + //in which case we should ignore the whole request + if ($mail->addReplyTo($_POST['email'], $_POST['name'])) { + $mail->Subject = 'PHPMailer contact form'; + //Keep it simple - don't use HTML + $mail->isHTML(false); + //Build a simple message body + $mail->Body = <<<EOT +Email: {$_POST['email']} +Name: {$_POST['name']} +Message: {$_POST['message']} +EOT; + //Send the message, check for errors + if (!$mail->send()) { + //The reason for failing to send will be in $mail->ErrorInfo + //but you shouldn't display errors to users - process the error, log it on your server. + $msg = 'Sorry, something went wrong. Please try again later.'; + } else { + $msg = 'Message sent! Thanks for contacting us.'; + } + } else { + $msg = 'Invalid email address, message ignored.'; + } +} +?> +<!DOCTYPE html> +<html lang="en"> +<head> + <meta charset="UTF-8"> + <title>Contact form</title> +</head> +<body> +<h1>Contact us</h1> +<?php if (!empty($msg)) { + echo "<h2>$msg</h2>"; +} ?> +<form method="POST"> + <label for="name">Name: <input type="text" name="name" id="name"></label><br> + <label for="email">Email address: <input type="email" name="email" id="email"></label><br> + <label for="message">Message: <textarea name="message" id="message" rows="8" cols="20"></textarea></label><br> + <input type="submit" value="Send"> +</form> +</body> +</html> diff --git a/phpmailer/phpmailer/examples/contentsutf8.html b/phpmailer/phpmailer/examples/contentsutf8.html index 81a2024..035d10c 100644 --- a/phpmailer/phpmailer/examples/contentsutf8.html +++ b/phpmailer/phpmailer/examples/contentsutf8.html @@ -15,6 +15,7 @@ <p>Russian text: Пустое тело сообщения</p> <p>Armenian text: Հաղորդագրությունը դատարկ է</p> <p>Czech text: Prázdné tělo zprávy</p> + <p>Emoji: <span style="font-size: 48px">😂 🦄 💥 📤 📧</span></p> </div> </body> </html> diff --git a/phpmailer/phpmailer/examples/scripts/XRegExp.js b/phpmailer/phpmailer/examples/scripts/XRegExp.js index ebdb9c9..feb6679 100644 --- a/phpmailer/phpmailer/examples/scripts/XRegExp.js +++ b/phpmailer/phpmailer/examples/scripts/XRegExp.js @@ -259,7 +259,7 @@ //--------------------------------- - // Overriden native methods + // Overridden native methods //--------------------------------- // Adds named capture support (with backreferences returned as `result.name`), and fixes two diff --git a/phpmailer/phpmailer/examples/send_file_upload.phps b/phpmailer/phpmailer/examples/send_file_upload.phps index 3004c76..ab60fd1 100644 --- a/phpmailer/phpmailer/examples/send_file_upload.phps +++ b/phpmailer/phpmailer/examples/send_file_upload.phps @@ -17,7 +17,7 @@ $mail->setFrom('f...@example.com', 'First Last'); $mail->addAddress('wh...@example.com', 'John Doe'); $mail->Subject = 'PHPMailer file sender'; - $mail->msgHTML("My message body"); + $mail->Body = 'My message body'; // Attach the uploaded file $mail->addAttachment($uploadfile, 'My uploaded file'); if (!$mail->send()) { diff --git a/phpmailer/phpmailer/examples/send_multiple_file_upload.phps b/phpmailer/phpmailer/examples/send_multiple_file_upload.phps index ddb7614..72f2115 100644 --- a/phpmailer/phpmailer/examples/send_multiple_file_upload.phps +++ b/phpmailer/phpmailer/examples/send_multiple_file_upload.phps @@ -12,7 +12,7 @@ $mail->setFrom('f...@example.com', 'First Last'); $mail->addAddress('wh...@example.com', 'John Doe'); $mail->Subject = 'PHPMailer file sender'; - $mail->msgHTML('My message body'); + $mail->Body = 'My message body'; //Attach multiple files one by one for ($ct = 0; $ct < count($_FILES['userfile']['tmp_name']); $ct++) { $uploadfile = tempnam(sys_get_temp_dir(), sha1($_FILES['userfile']['name'][$ct])); diff --git a/phpmailer/phpmailer/extras/htmlfilter.php b/phpmailer/phpmailer/extras/htmlfilter.php index 7727487..a86ef57 100644 --- a/phpmailer/phpmailer/extras/htmlfilter.php +++ b/phpmailer/phpmailer/extras/htmlfilter.php @@ -433,7 +433,7 @@ * * @param string $attvalue the by-ref value to check. * @param string $regex the regular expression to check against. - * @param boolean $hex whether the entites are hexadecimal. + * @param boolean $hex whether the entities are hexadecimal. * @return boolean True or False depending on whether there were matches. */ function tln_deent(&$attvalue, $regex, $hex = false) @@ -772,7 +772,7 @@ tln_defang($contentTemp); tln_unspace($contentTemp); - $match = Array('/\/\*.*\*\//', + $match = array('/\/\*.*\*\//', '/expression/i', '/behaviou*r/i', '/binding/i', @@ -780,7 +780,7 @@ '/javascript/i', '/script/i', '/position/i'); - $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', ''); + $replace = array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', ''); $contentNew = preg_replace($match, $replace, $contentTemp); if ($contentNew !== $contentTemp) { $content = $contentNew; diff --git a/phpmailer/phpmailer/get_oauth_token.php b/phpmailer/phpmailer/get_oauth_token.php index b95d5c4..2c26d0f 100644 --- a/phpmailer/phpmailer/get_oauth_token.php +++ b/phpmailer/phpmailer/get_oauth_token.php @@ -80,24 +80,24 @@ $params = array_merge( parent::getAuthorizationParameters($options), - array_filter(array( + array_filter([ 'hd' => $this->hostedDomain, 'access_type' => $this->accessType, 'scope' => $this->scope, // if the user is logged in with more than one account ask which one to use for the login! 'authuser' => '-1' - )) + ]) ); return $params; } protected function getDefaultScopes() { - return array( + return [ 'email', 'openid', 'profile', - ); + ]; } protected function getScopeSeparator() -- To view, visit https://gerrit.wikimedia.org/r/337960 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I57f02bc76164dcd78d4b937bcddfd828ef2b4634 Gerrit-PatchSet: 1 Gerrit-Project: wikimedia/fundraising/crm/vendor Gerrit-Branch: master Gerrit-Owner: Ejegg <eeggles...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits