From 9c416615cefe8c8ce777ed856a69daea8ec3ad64 Mon Sep 17 00:00:00 2001 From: Sergey Biryukov Date: Mon, 30 Nov 2020 17:26:08 +0000 Subject: [PATCH] External Libraries: Upgrade PHPMailer to version 6.2.0. For a full list of changes in this update, see the PHPMailer GitHub: https://github.com/PHPMailer/PHPMailer/compare/v6.1.8...v6.2.0 Props ayeshrajans, jrf. Reviewed by jrf, SergeyBiryukov. Merges [49713] to the 5.6 branch. Fixes #51874. Built from https://develop.svn.wordpress.org/branches/5.6@49714 git-svn-id: http://core.svn.wordpress.org/branches/5.6@49437 1a063a9b-81f0-0310-95a4-ce76da25c4cd --- wp-includes/PHPMailer/Exception.php | 1 + wp-includes/PHPMailer/PHPMailer.php | 105 +++++++++++++++++----------- wp-includes/PHPMailer/SMTP.php | 23 +++--- wp-includes/version.php | 2 +- 4 files changed, 79 insertions(+), 52 deletions(-) diff --git a/wp-includes/PHPMailer/Exception.php b/wp-includes/PHPMailer/Exception.php index e7807fc2ca..a50a8991f7 100644 --- a/wp-includes/PHPMailer/Exception.php +++ b/wp-includes/PHPMailer/Exception.php @@ -1,4 +1,5 @@ host) && static::validateAddress( - $address->mailbox . '@' . $address->host - )) { + if ( + ('.SYNTAX-ERROR.' !== $address->host) && static::validateAddress( + $address->mailbox . '@' . $address->host + ) + ) { $addresses[] = [ 'name' => (property_exists($address, 'personal') ? $address->personal : ''), 'address' => $address->mailbox . '@' . $address->host, @@ -1241,7 +1244,8 @@ class PHPMailer $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim // Don't validate now addresses with IDN. Will be done in send(). $pos = strrpos($address, '@'); - if ((false === $pos) + if ( + (false === $pos) || ((!$this->has8bitChars(substr($address, ++$pos)) || !static::idnSupported()) && !static::validateAddress($address)) ) { @@ -1393,7 +1397,8 @@ class PHPMailer { // Verify we have required functions, CharSet, and at-sign. $pos = strrpos($address, '@'); - if (!empty($this->CharSet) && + if ( + !empty($this->CharSet) && false !== $pos && static::idnSupported() ) { @@ -1457,8 +1462,9 @@ class PHPMailer */ public function preSend() { - if ('smtp' === $this->Mailer - || ('mail' === $this->Mailer && stripos(PHP_OS, 'WIN') === 0) + if ( + 'smtp' === $this->Mailer + || ('mail' === $this->Mailer && (PHP_VERSION_ID >= 80000 || stripos(PHP_OS, 'WIN') === 0)) ) { //SMTP mandates RFC-compliant line endings //and it's also used with mail() on Windows @@ -1468,7 +1474,8 @@ class PHPMailer static::setLE(PHP_EOL); } //Check for buggy PHP versions that add a header with an incorrect line break - if ('mail' === $this->Mailer + if ( + 'mail' === $this->Mailer && ((PHP_VERSION_ID >= 70000 && PHP_VERSION_ID < 70017) || (PHP_VERSION_ID >= 70100 && PHP_VERSION_ID < 70103)) && ini_get('mail.add_x_header') === '1' @@ -1555,7 +1562,8 @@ class PHPMailer } // Sign with DKIM if enabled - if (!empty($this->DKIM_domain) + if ( + !empty($this->DKIM_domain) && !empty($this->DKIM_selector) && (!empty($this->DKIM_private_string) || (!empty($this->DKIM_private) @@ -1613,7 +1621,7 @@ class PHPMailer } } catch (Exception $exc) { if ($this->Mailer === 'smtp' && $this->SMTPKeepAlive == true) { - $this->smtp->reset(); + $this->smtp->reset(); } $this->setError($exc->getMessage()); $this->edebug($exc->getMessage()); @@ -1719,7 +1727,8 @@ class PHPMailer protected static function isShellSafe($string) { // Future-proof - if (escapeshellcmd($string) !== $string + if ( + escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), ["'$string'", "\"$string\""]) ) { return false; @@ -1903,7 +1912,7 @@ class PHPMailer $isSent = true; } - $callbacks[] = ['issent'=>$isSent, 'to'=>$to[0]]; + $callbacks[] = ['issent' => $isSent, 'to' => $to[0]]; } } @@ -1983,11 +1992,13 @@ class PHPMailer foreach ($hosts as $hostentry) { $hostinfo = []; - if (!preg_match( - '/^(?:(ssl|tls):\/\/)?(.+?)(?::(\d+))?$/', - trim($hostentry), - $hostinfo - )) { + if ( + !preg_match( + '/^(?:(ssl|tls):\/\/)?(.+?)(?::(\d+))?$/', + trim($hostentry), + $hostinfo + ) + ) { $this->edebug($this->lang('invalid_hostentry') . ' ' . trim($hostentry)); // Not a valid host entry continue; @@ -2056,12 +2067,14 @@ class PHPMailer // We must resend EHLO after TLS negotiation $this->smtp->hello($hello); } - if ($this->SMTPAuth && !$this->smtp->authenticate( - $this->Username, - $this->Password, - $this->AuthType, - $this->oauth - )) { + if ( + $this->SMTPAuth && !$this->smtp->authenticate( + $this->Username, + $this->Password, + $this->AuthType, + $this->oauth + ) + ) { throw new Exception($this->lang('authenticate')); } @@ -2119,7 +2132,7 @@ class PHPMailer 'am' => 'hy', ]; - if (isset($renamed_langcodes[$langcode])) { + if (array_key_exists($langcode, $renamed_langcodes)) { $langcode = $renamed_langcodes[$langcode]; } @@ -2428,7 +2441,8 @@ class PHPMailer } // sendmail and mail() extract Bcc from the header before sending - if (( + if ( + ( 'sendmail' === $this->Mailer || 'qmail' === $this->Mailer || 'mail' === $this->Mailer ) && count($this->bcc) > 0 @@ -3898,7 +3912,8 @@ class PHPMailer public static function isValidHost($host) { //Simple syntax limits - if (empty($host) + if ( + empty($host) || !is_string($host) || strlen($host) > 256 || !preg_match('/^([a-zA-Z\d.-]*|\[[a-fA-F\d:]+])$/', $host) @@ -4064,7 +4079,8 @@ class PHPMailer ); continue; } - if (// Only process relative URLs if a basedir is provided (i.e. no absolute local paths) + if ( + // Only process relative URLs if a basedir is provided (i.e. no absolute local paths) !empty($basedir) // Ignore URLs containing parent dir traversal (..) && (strpos($url, '..') === false) @@ -4086,13 +4102,14 @@ class PHPMailer if (strlen($directory) > 1 && '/' !== substr($directory, -1)) { $directory .= '/'; } - if ($this->addEmbeddedImage( - $basedir . $directory . $filename, - $cid, - $filename, - static::ENCODING_BASE64, - static::_mime_types((string) static::mb_pathinfo($filename, PATHINFO_EXTENSION)) - ) + if ( + $this->addEmbeddedImage( + $basedir . $directory . $filename, + $cid, + $filename, + static::ENCODING_BASE64, + static::_mime_types((string) static::mb_pathinfo($filename, PATHINFO_EXTENSION)) + ) ) { $message = preg_replace( '/' . $images[1][$imgindex] . '=["\']' . preg_quote($url, '/') . '["\']/Ui', @@ -4511,11 +4528,15 @@ class PHPMailer $privKey = openssl_pkey_get_private($privKeyStr); } if (openssl_sign($signHeader, $signature, $privKey, 'sha256WithRSAEncryption')) { - openssl_pkey_free($privKey); + if (PHP_MAJOR_VERSION < 8) { + openssl_pkey_free($privKey); + } return base64_encode($signature); } - openssl_pkey_free($privKey); + if (PHP_MAJOR_VERSION < 8) { + openssl_pkey_free($privKey); + } return ''; } diff --git a/wp-includes/PHPMailer/SMTP.php b/wp-includes/PHPMailer/SMTP.php index 9e43dce2a5..ab7f46e4c8 100644 --- a/wp-includes/PHPMailer/SMTP.php +++ b/wp-includes/PHPMailer/SMTP.php @@ -1,4 +1,5 @@ sendCommand( - 'User & Password', - base64_encode("\0" . $username . "\0" . $password), - 235 - ) + if ( + !$this->sendCommand( + 'User & Password', + base64_encode("\0" . $username . "\0" . $password), + 235 + ) ) { return false; } @@ -1086,8 +1088,10 @@ class SMTP { //If SMTP transcripts are left enabled, or debug output is posted online //it can leak credentials, so hide credentials in all but lowest level - if (self::DEBUG_LOWLEVEL > $this->do_debug && - in_array($command, ['User & Password', 'Username', 'Password'], true)) { + if ( + self::DEBUG_LOWLEVEL > $this->do_debug && + in_array($command, ['User & Password', 'Username', 'Password'], true) + ) { $this->edebug('CLIENT -> SERVER: [credentials hidden]', self::DEBUG_CLIENT); } else { $this->edebug('CLIENT -> SERVER: ' . $data, self::DEBUG_CLIENT); @@ -1207,7 +1211,8 @@ class SMTP self::DEBUG_LOWLEVEL ); - //stream_select returns false when the `select` system call is interrupted by an incoming signal, try the select again + //stream_select returns false when the `select` system call is interrupted + //by an incoming signal, try the select again if (stripos($message, 'interrupted system call') !== false) { $this->edebug( 'SMTP -> get_lines(): retrying stream_select', diff --git a/wp-includes/version.php b/wp-includes/version.php index 7f051bd0d5..92d5f6f682 100644 --- a/wp-includes/version.php +++ b/wp-includes/version.php @@ -13,7 +13,7 @@ * * @global string $wp_version */ -$wp_version = '5.6-RC1-49712'; +$wp_version = '5.6-RC1-49714'; /** * Holds the WordPress DB revision, increments when changes are made to the WordPress DB schema.