diff --git a/wp-includes/class-phpmailer.php b/wp-includes/class-phpmailer.php
index 2df9c1bab5..7f5e353578 100644
--- a/wp-includes/class-phpmailer.php
+++ b/wp-includes/class-phpmailer.php
@@ -31,7 +31,7 @@ class PHPMailer
* The PHPMailer Version number.
* @var string
*/
- public $Version = '5.2.21';
+ public $Version = '5.2.22';
/**
* Email priority.
@@ -2493,6 +2493,7 @@ class PHPMailer
/**
* Add an attachment from a path on the filesystem.
+ * Never use a user-supplied path to a file!
* Returns false if the file could not be found or read.
* @param string $path Path to the attachment.
* @param string $name Overrides the attachment name.
@@ -3018,6 +3019,7 @@ class PHPMailer
* displayed inline with the message, not just attached for download.
* This is used in HTML messages that embed the images
* the HTML refers to using the $cid value.
+ * Never use a user-supplied path to a file!
* @param string $path Path to the attachment.
* @param string $cid Content ID of the attachment; Use this to reference
* the content when using an embedded image in HTML.
@@ -3381,12 +3383,14 @@ class PHPMailer
* Create a message body from an HTML string.
* Automatically inlines images and creates a plain-text version by converting the HTML,
* overwriting any existing values in Body and AltBody.
- * $basedir is used when handling relative image paths, e.g.
+ * Do not source $message content from user input!
+ * $basedir is prepended when handling relative URLs, e.g. and must not be empty
* will look for an image file in $basedir/images/a.png and convert it to inline.
- * If you don't want to apply these transformations to your HTML, just set Body and AltBody yourself.
+ * If you don't provide a $basedir, relative paths will be left untouched (and thus probably break in email)
+ * If you don't want to apply these transformations to your HTML, just set Body and AltBody directly.
* @access public
* @param string $message HTML message string
- * @param string $basedir base directory for relative paths to images
+ * @param string $basedir Absolute path to a base directory to prepend to relative paths to images
* @param boolean|callable $advanced Whether to use the internal HTML to text converter
* or your own custom converter @see PHPMailer::html2text()
* @return string $message The transformed message Body
@@ -3395,6 +3399,10 @@ class PHPMailer
{
preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images);
if (array_key_exists(2, $images)) {
+ if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
+ // Ensure $basedir has a trailing /
+ $basedir .= '/';
+ }
foreach ($images[2] as $imgindex => $url) {
// Convert data URIs into embedded images
if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) {
@@ -3412,18 +3420,24 @@ class PHPMailer
$message
);
}
- } elseif (substr($url, 0, 4) !== 'cid:' && !preg_match('#^[a-z][a-z0-9+.-]*://#i', $url)) {
- // Do not change urls for absolute images (thanks to corvuscorax)
+ continue;
+ }
+ if (
+ // Only process relative URLs if a basedir is provided (i.e. no absolute local paths)
+ !empty($basedir)
+ // Ignore URLs containing parent dir traversal (..)
+ && (strpos($url, '..') === false)
// Do not change urls that are already inline images
+ && substr($url, 0, 4) !== 'cid:'
+ // Do not change absolute URLs, including anonymous protocol
+ && !preg_match('#^[a-z][a-z0-9+.-]*:?//#i', $url)
+ ) {
$filename = basename($url);
$directory = dirname($url);
if ($directory == '.') {
$directory = '';
}
$cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2
- if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
- $basedir .= '/';
- }
if (strlen($directory) > 1 && substr($directory, -1) != '/') {
$directory .= '/';
}
diff --git a/wp-includes/class-smtp.php b/wp-includes/class-smtp.php
index 3aa48f4fb0..3ad081926a 100644
--- a/wp-includes/class-smtp.php
+++ b/wp-includes/class-smtp.php
@@ -30,7 +30,7 @@ class SMTP
* The PHPMailer SMTP version number.
* @var string
*/
- const VERSION = '5.2.21';
+ const VERSION = '5.2.22';
/**
* SMTP line break constant.
@@ -81,7 +81,7 @@ class SMTP
* @deprecated Use the `VERSION` constant instead
* @see SMTP::VERSION
*/
- public $Version = '5.2.21';
+ public $Version = '5.2.22';
/**
* SMTP server port number.
diff --git a/wp-includes/version.php b/wp-includes/version.php
index dc5945bb39..588b7fb7ed 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -4,7 +4,7 @@
*
* @global string $wp_version
*/
-$wp_version = '4.8-alpha-39758';
+$wp_version = '4.8-alpha-39759';
/**
* Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.