From 45003f3c6113bd87b5dcd7ed3951db93905fe948 Mon Sep 17 00:00:00 2001 From: wilsonge Date: Thu, 12 Jan 2017 12:45:12 +0000 Subject: [PATCH] PHPMailer update --- composer.lock | 10 +++--- libraries/vendor/composer/installed.json | 12 +++---- libraries/vendor/phpmailer/phpmailer/VERSION | 2 +- .../phpmailer/phpmailer/class.phpmailer.php | 32 +++++++++++++------ .../vendor/phpmailer/phpmailer/class.pop3.php | 2 +- .../vendor/phpmailer/phpmailer/class.smtp.php | 4 +-- .../phpmailer/phpmailer/extras/htmlfilter.php | 6 ++-- 7 files changed, 41 insertions(+), 27 deletions(-) diff --git a/composer.lock b/composer.lock index b780110f1cd27..7b82ca6812ef8 100644 --- a/composer.lock +++ b/composer.lock @@ -725,16 +725,16 @@ }, { "name": "phpmailer/phpmailer", - "version": "v5.2.21", + "version": "v5.2.22", "source": { "type": "git", "url": "https://github.com/PHPMailer/PHPMailer.git", - "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e" + "reference": "b18cb98131bd83103ccb26a888fdfe3177b8a663" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/1d51856b76c06fc687fcd9180efa7a0bed0d761e", - "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e", + "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/b18cb98131bd83103ccb26a888fdfe3177b8a663", + "reference": "b18cb98131bd83103ccb26a888fdfe3177b8a663", "shasum": "" }, "require": { @@ -781,7 +781,7 @@ } ], "description": "PHPMailer is a full-featured email creation and transfer class for PHP", - "time": "2016-12-28T15:35:48+00:00" + "time": "2017-01-09T09:33:47+00:00" }, { "name": "psr/log", diff --git a/libraries/vendor/composer/installed.json b/libraries/vendor/composer/installed.json index fe028139199c1..a2cc3119ce7be 100644 --- a/libraries/vendor/composer/installed.json +++ b/libraries/vendor/composer/installed.json @@ -1074,17 +1074,17 @@ }, { "name": "phpmailer/phpmailer", - "version": "v5.2.21", - "version_normalized": "5.2.21.0", + "version": "v5.2.22", + "version_normalized": "5.2.22.0", "source": { "type": "git", "url": "https://github.com/PHPMailer/PHPMailer.git", - "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e" + "reference": "b18cb98131bd83103ccb26a888fdfe3177b8a663" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/1d51856b76c06fc687fcd9180efa7a0bed0d761e", - "reference": "1d51856b76c06fc687fcd9180efa7a0bed0d761e", + "url": "https://api.github.com/repos/PHPMailer/PHPMailer/zipball/b18cb98131bd83103ccb26a888fdfe3177b8a663", + "reference": "b18cb98131bd83103ccb26a888fdfe3177b8a663", "shasum": "" }, "require": { @@ -1097,7 +1097,7 @@ "suggest": { "league/oauth2-google": "Needed for Google XOAUTH2 authentication" }, - "time": "2016-12-28T15:35:48+00:00", + "time": "2017-01-09T09:33:47+00:00", "type": "library", "installation-source": "dist", "autoload": { diff --git a/libraries/vendor/phpmailer/phpmailer/VERSION b/libraries/vendor/phpmailer/phpmailer/VERSION index 567eefa2cdf13..07b26572fc865 100644 --- a/libraries/vendor/phpmailer/phpmailer/VERSION +++ b/libraries/vendor/phpmailer/phpmailer/VERSION @@ -1 +1 @@ -5.2.21 +5.2.22 diff --git a/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php b/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php index 8ff13f11046ae..477ee826eae95 100644 --- a/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php +++ b/libraries/vendor/phpmailer/phpmailer/class.phpmailer.php @@ -31,7 +31,7 @@ class PHPMailer * The PHPMailer Version number. * @var string */ - public $Version = '5.2.21'; + public $Version = '5.2.22'; /** * Email priority. @@ -2492,6 +2492,7 @@ public function textLine($value) /** * Add an attachment from a path on the filesystem. + * Never use a user-supplied path to a file! * Returns false if the file could not be found or read. * @param string $path Path to the attachment. * @param string $name Overrides the attachment name. @@ -3017,6 +3018,7 @@ public function addStringAttachment( * displayed inline with the message, not just attached for download. * This is used in HTML messages that embed the images * the HTML refers to using the $cid value. + * Never use a user-supplied path to a file! * @param string $path Path to the attachment. * @param string $cid Content ID of the attachment; Use this to reference * the content when using an embedded image in HTML. @@ -3380,12 +3382,14 @@ public function getCustomHeaders() * Create a message body from an HTML string. * Automatically inlines images and creates a plain-text version by converting the HTML, * overwriting any existing values in Body and AltBody. - * $basedir is used when handling relative image paths, e.g. + * Do not source $message content from user input! + * $basedir is prepended when handling relative URLs, e.g. and must not be empty * will look for an image file in $basedir/images/a.png and convert it to inline. - * If you don't want to apply these transformations to your HTML, just set Body and AltBody yourself. + * If you don't provide a $basedir, relative paths will be left untouched (and thus probably break in email) + * If you don't want to apply these transformations to your HTML, just set Body and AltBody directly. * @access public * @param string $message HTML message string - * @param string $basedir base directory for relative paths to images + * @param string $basedir Absolute path to a base directory to prepend to relative paths to images * @param boolean|callable $advanced Whether to use the internal HTML to text converter * or your own custom converter @see PHPMailer::html2text() * @return string $message The transformed message Body @@ -3394,6 +3398,10 @@ public function msgHTML($message, $basedir = '', $advanced = false) { preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images); if (array_key_exists(2, $images)) { + if (strlen($basedir) > 1 && substr($basedir, -1) != '/') { + // Ensure $basedir has a trailing / + $basedir .= '/'; + } foreach ($images[2] as $imgindex => $url) { // Convert data URIs into embedded images if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) { @@ -3411,18 +3419,24 @@ public function msgHTML($message, $basedir = '', $advanced = false) $message ); } - } elseif (substr($url, 0, 4) !== 'cid:' && !preg_match('#^[a-z][a-z0-9+.-]*://#i', $url)) { - // Do not change urls for absolute images (thanks to corvuscorax) + continue; + } + if ( + // Only process relative URLs if a basedir is provided (i.e. no absolute local paths) + !empty($basedir) + // Ignore URLs containing parent dir traversal (..) + && (strpos($url, '..') === false) // Do not change urls that are already inline images + && substr($url, 0, 4) !== 'cid:' + // Do not change absolute URLs, including anonymous protocol + && !preg_match('#^[a-z][a-z0-9+.-]*:?//#i', $url) + ) { $filename = basename($url); $directory = dirname($url); if ($directory == '.') { $directory = ''; } $cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2 - if (strlen($basedir) > 1 && substr($basedir, -1) != '/') { - $basedir .= '/'; - } if (strlen($directory) > 1 && substr($directory, -1) != '/') { $directory .= '/'; } diff --git a/libraries/vendor/phpmailer/phpmailer/class.pop3.php b/libraries/vendor/phpmailer/phpmailer/class.pop3.php index 373c886cded3e..f10e688e3ec5c 100644 --- a/libraries/vendor/phpmailer/phpmailer/class.pop3.php +++ b/libraries/vendor/phpmailer/phpmailer/class.pop3.php @@ -34,7 +34,7 @@ class POP3 * @var string * @access public */ - public $Version = '5.2.21'; + public $Version = '5.2.22'; /** * Default POP3 port number. diff --git a/libraries/vendor/phpmailer/phpmailer/class.smtp.php b/libraries/vendor/phpmailer/phpmailer/class.smtp.php index 270162b26400e..89321171b0519 100644 --- a/libraries/vendor/phpmailer/phpmailer/class.smtp.php +++ b/libraries/vendor/phpmailer/phpmailer/class.smtp.php @@ -30,7 +30,7 @@ class SMTP * The PHPMailer SMTP version number. * @var string */ - const VERSION = '5.2.21'; + const VERSION = '5.2.22'; /** * SMTP line break constant. @@ -81,7 +81,7 @@ class SMTP * @deprecated Use the `VERSION` constant instead * @see SMTP::VERSION */ - public $Version = '5.2.21'; + public $Version = '5.2.22'; /** * SMTP server port number. diff --git a/libraries/vendor/phpmailer/phpmailer/extras/htmlfilter.php b/libraries/vendor/phpmailer/phpmailer/extras/htmlfilter.php index 7727487e52bb2..a86ef579d7841 100644 --- a/libraries/vendor/phpmailer/phpmailer/extras/htmlfilter.php +++ b/libraries/vendor/phpmailer/phpmailer/extras/htmlfilter.php @@ -433,7 +433,7 @@ function tln_getnxtag($body, $offset) * * @param string $attvalue the by-ref value to check. * @param string $regex the regular expression to check against. - * @param boolean $hex whether the entites are hexadecimal. + * @param boolean $hex whether the entities are hexadecimal. * @return boolean True or False depending on whether there were matches. */ function tln_deent(&$attvalue, $regex, $hex = false) @@ -772,7 +772,7 @@ function tln_fixstyle($body, $pos, $trans_image_path, $block_external_images) tln_defang($contentTemp); tln_unspace($contentTemp); - $match = Array('/\/\*.*\*\//', + $match = array('/\/\*.*\*\//', '/expression/i', '/behaviou*r/i', '/binding/i', @@ -780,7 +780,7 @@ function tln_fixstyle($body, $pos, $trans_image_path, $block_external_images) '/javascript/i', '/script/i', '/position/i'); - $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', ''); + $replace = array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', ''); $contentNew = preg_replace($match, $replace, $contentTemp); if ($contentNew !== $contentTemp) { $content = $contentNew;