From 82b478b0be9ab7de7aa8428379d50f4aa4f53784 Mon Sep 17 00:00:00 2001
From: Sergey Biryukov <sergeybiryukov.ru@gmail.com>
Date: Wed, 16 Jun 2021 17:27:02 +0000
Subject: [PATCH] External Libraries: Upgrade PHPMailer to version 6.5.0.

Release notes: https://github.com/PHPMailer/PHPMailer/releases/tag/v6.5.0

For a full list of changes in this update, see the PHPMailer GitHub:
https://github.com/PHPMailer/PHPMailer/compare/v6.4.1...v6.5.0

Props ayeshrajans, Synchro.
Merges [51169] to the 5.7 branch.
Fixes #53430.
Built from https://develop.svn.wordpress.org/branches/5.7@51170


git-svn-id: http://core.svn.wordpress.org/branches/5.7@50779 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/PHPMailer/PHPMailer.php | 42 ++++++++++++++++++++++-------
 wp-includes/PHPMailer/SMTP.php      |  3 ++-
 wp-includes/version.php             |  2 +-
 3 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/wp-includes/PHPMailer/PHPMailer.php b/wp-includes/PHPMailer/PHPMailer.php
index 25818104e0..5618251950 100644
--- a/wp-includes/PHPMailer/PHPMailer.php
+++ b/wp-includes/PHPMailer/PHPMailer.php
@@ -428,9 +428,11 @@ class PHPMailer
     public $Debugoutput = 'echo';
 
     /**
-     * Whether to keep SMTP connection open after each message.
-     * If this is set to true then to close the connection
-     * requires an explicit call to smtpClose().
+     * Whether to keep the SMTP connection open after each message.
+     * If this is set to true then the connection will remain open after a send,
+     * and closing the connection will require an explicit call to smtpClose().
+     * It's a good idea to use this if you are sending multiple messages as it reduces overhead.
+     * See the mailing list example for how to use it.
      *
      * @var bool
      */
@@ -748,7 +750,7 @@ class PHPMailer
      *
      * @var string
      */
-    const VERSION = '6.4.1';
+    const VERSION = '6.5.0';
 
     /**
      * Error severity: message only, continue processing.
@@ -1335,7 +1337,8 @@ class PHPMailer
         if (null === $patternselect) {
             $patternselect = static::$validator;
         }
-        if (is_callable($patternselect)) {
+        //Don't allow strings as callables, see SECURITY.md and CVE-2021-3603
+        if (is_callable($patternselect) && !is_string($patternselect)) {
             return call_user_func($patternselect, $address);
         }
         //Reject line breaks in addresses; it's valid RFC5322, but not RFC5321
@@ -2184,7 +2187,8 @@ class PHPMailer
      * The default language is English.
      *
      * @param string $langcode  ISO 639-1 2-character language code (e.g. French is "fr")
-     * @param string $lang_path Path to the language file directory, with trailing separator (slash)
+     * @param string $lang_path Path to the language file directory, with trailing separator (slash).D
+     *                          Do not set this from user input!
      *
      * @return bool
      */
@@ -2246,14 +2250,32 @@ class PHPMailer
             if (!static::fileIsAccessible($lang_file)) {
                 $foundlang = false;
             } else {
-                //Overwrite language-specific strings.
-                //This way we'll never have missing translation keys.
-                $foundlang = include $lang_file;
+                //$foundlang = include $lang_file;
+                $lines = file($lang_file);
+                foreach ($lines as $line) {
+                    //Translation file lines look like this:
+                    //$PHPMAILER_LANG['authenticate'] = 'SMTP-Fehler: Authentifizierung fehlgeschlagen.';
+                    //These files are parsed as text and not PHP so as to avoid the possibility of code injection
+                    //See https://blog.stevenlevithan.com/archives/match-quoted-string
+                    $matches = [];
+                    if (
+                        preg_match(
+                            '/^\$PHPMAILER_LANG\[\'([a-z\d_]+)\'\]\s*=\s*(["\'])(.+)*?\2;/',
+                            $line,
+                            $matches
+                        ) &&
+                        //Ignore unknown translation keys
+                        array_key_exists($matches[1], $PHPMAILER_LANG)
+                    ) {
+                        //Overwrite language-specific strings so we'll never have missing translation keys.
+                        $PHPMAILER_LANG[$matches[1]] = (string)$matches[3];
+                    }
+                }
             }
         }
         $this->language = $PHPMAILER_LANG;
 
-        return (bool) $foundlang; //Returns false if language not found
+        return $foundlang; //Returns false if language not found
     }
 
     /**
diff --git a/wp-includes/PHPMailer/SMTP.php b/wp-includes/PHPMailer/SMTP.php
index 0e7f53df50..a4a91ed0dc 100644
--- a/wp-includes/PHPMailer/SMTP.php
+++ b/wp-includes/PHPMailer/SMTP.php
@@ -35,7 +35,7 @@ class SMTP
      *
      * @var string
      */
-    const VERSION = '6.4.1';
+    const VERSION = '6.5.0';
 
     /**
      * SMTP line break constant.
@@ -186,6 +186,7 @@ class SMTP
         'Amazon_SES' => '/[\d]{3} Ok (.*)/',
         'SendGrid' => '/[\d]{3} Ok: queued as (.*)/',
         'CampaignMonitor' => '/[\d]{3} 2.0.0 OK:([a-zA-Z\d]{48})/',
+        'Haraka' => '/[\d]{3} Message Queued \((.*)\)/',
     ];
 
     /**
diff --git a/wp-includes/version.php b/wp-includes/version.php
index 9e89292d81..151a09ec44 100644
--- a/wp-includes/version.php
+++ b/wp-includes/version.php
@@ -13,7 +13,7 @@
  *
  * @global string $wp_version
  */
-$wp_version = '5.7.3-alpha-51036';
+$wp_version = '5.7.3-alpha-51170';
 
 /**
  * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.