From d4c98e263772bc5c9df3d8b4b59445967047ddd3 Mon Sep 17 00:00:00 2001 From: Brooke Date: Mon, 1 Jun 2020 03:22:57 -0700 Subject: Updates PHPMailer to 6.1.6 (#3024) * Update PHPMailer to 6.1.6 Fixes a security issue in PHPMailer 6.1.5 and earlier * Remove .DS_Store --- lib/PHPMailer/PHPMailer/PHPMailer.php | 48 ++++++++++++++++++++++------------- lib/PHPMailer/PHPMailer/SMTP.php | 6 ++--- 2 files changed, 34 insertions(+), 20 deletions(-) (limited to 'lib') diff --git a/lib/PHPMailer/PHPMailer/PHPMailer.php b/lib/PHPMailer/PHPMailer/PHPMailer.php index fddad40ac..ed14d7c7a 100644 --- a/lib/PHPMailer/PHPMailer/PHPMailer.php +++ b/lib/PHPMailer/PHPMailer/PHPMailer.php @@ -745,7 +745,7 @@ class PHPMailer * * @var string */ - const VERSION = '6.1.5'; + const VERSION = '6.1.6'; /** * Error severity: message only, continue processing. @@ -2086,6 +2086,7 @@ class PHPMailer 'se' => 'sv', 'rs' => 'sr', 'tg' => 'tl', + 'am' => 'hy', ]; if (isset($renamed_langcodes[$langcode])) { @@ -2606,7 +2607,7 @@ class PHPMailer $altBodyEncoding = static::ENCODING_QUOTED_PRINTABLE; } //Use this as a preamble in all multipart message types - $mimepre = 'This is a multi-part message in MIME format.' . static::$LE . static::$LE; + $mimepre = 'This is a multi-part message in MIME format.' . static::$LE . static::$LE; switch ($this->message_type) { case 'inline': $body .= $mimepre; @@ -3063,9 +3064,9 @@ class PHPMailer //Only include a filename property if we have one if (!empty($name)) { $mime[] = sprintf( - 'Content-Type: %s; name="%s"%s', + 'Content-Type: %s; name=%s%s', $type, - $this->encodeHeader($this->secureHeader($name)), + static::quotedString($this->encodeHeader($this->secureHeader($name))), static::$LE ); } else { @@ -3085,24 +3086,14 @@ class PHPMailer $mime[] = 'Content-ID: <' . $this->encodeHeader($this->secureHeader($cid)) . '>' . static::$LE; } - // If a filename contains any of these chars, it should be quoted, - // but not otherwise: RFC2183 & RFC2045 5.1 - // Fixes a warning in IETF's msglint MIME checker - // Allow for bypassing the Content-Disposition header totally + // Allow for bypassing the Content-Disposition header if (!empty($disposition)) { $encoded_name = $this->encodeHeader($this->secureHeader($name)); - if (preg_match('/[ ()<>@,;:"\/\[\]?=]/', $encoded_name)) { - $mime[] = sprintf( - 'Content-Disposition: %s; filename="%s"%s', - $disposition, - $encoded_name, - static::$LE . static::$LE - ); - } elseif (!empty($encoded_name)) { + if (!empty($encoded_name)) { $mime[] = sprintf( 'Content-Disposition: %s; filename=%s%s', $disposition, - $encoded_name, + static::quotedString($encoded_name), static::$LE . static::$LE ); } else { @@ -3162,6 +3153,7 @@ class PHPMailer if ($this->exceptions) { throw $exc; } + return ''; } } @@ -4726,6 +4718,28 @@ class PHPMailer return (bool) preg_match('/^(.{' . (self::MAX_LINE_LENGTH + strlen(static::$LE)) . ',})/m', $str); } + /** + * If a string contains any "special" characters, double-quote the name, + * and escape any double quotes with a backslash. + * + * @param string $str + * + * @return string + * + * @see RFC822 3.4.1 + */ + public static function quotedString($str) + { + if (preg_match('/[ ()<>@,;:"\/\[\]?=]/', $str)) { + //If the string contains any of these chars, it must be double-quoted + //and any double quotes must be escaped with a backslash + return '"' . str_replace('"', '\\"', $str) . '"'; + } + + //Return the string untouched, it doesn't need quoting + return $str; + } + /** * Allows for public read access to 'to' property. * Before the send() call, queued addresses (i.e. with IDN) are not yet included. diff --git a/lib/PHPMailer/PHPMailer/SMTP.php b/lib/PHPMailer/PHPMailer/SMTP.php index 1e38ba7da..aa5555149 100644 --- a/lib/PHPMailer/PHPMailer/SMTP.php +++ b/lib/PHPMailer/PHPMailer/SMTP.php @@ -34,7 +34,7 @@ class SMTP * * @var string */ - const VERSION = '6.1.5'; + const VERSION = '6.1.6'; /** * SMTP line break constant. @@ -1168,7 +1168,7 @@ class SMTP //Must pass vars in here as params are by reference if (!stream_select($selR, $selW, $selW, $this->Timelimit)) { $this->edebug( - 'SMTP -> get_lines(): timed-out (' . $this->Timeout . ' sec)', + 'SMTP -> get_lines(): select timed-out in (' . $this->Timelimit . ' sec)', self::DEBUG_LOWLEVEL ); break; @@ -1187,7 +1187,7 @@ class SMTP $info = stream_get_meta_data($this->smtp_conn); if ($info['timed_out']) { $this->edebug( - 'SMTP -> get_lines(): timed-out (' . $this->Timeout . ' sec)', + 'SMTP -> get_lines(): stream timed-out (' . $this->Timeout . ' sec)', self::DEBUG_LOWLEVEL ); break; -- cgit v1.2.3