External libraries: Improve attachment handling in PHPMailer

Props: audrasjb, ayeshrajans, desrosj, peterwilsoncc, xknown.
Partially merges [50799] to the 5.5 branch.


Built from https://develop.svn.wordpress.org/branches/5.5@50849


git-svn-id: http://core.svn.wordpress.org/branches/5.5@50458 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
Peter Wilson 2021-05-12 22:26:56 +00:00
parent 3a58019c39
commit aae37f1790
1 changed files with 26 additions and 5 deletions

View File

@ -1747,7 +1747,28 @@ class PHPMailer
*/
protected static function isPermittedPath($path)
{
return !preg_match('#^[a-z]+://#i', $path);
//Matches scheme definition from https://tools.ietf.org/html/rfc3986#section-3.1
return !preg_match('#^[a-z][a-z\d+.-]*://#i', $path);
}
/**
* Check whether a file path is safe, accessible, and readable.
*
* @param string $path A relative or absolute path to a file
*
* @return bool
*/
protected static function fileIsAccessible($path)
{
if (!static::isPermittedPath($path)) {
return false;
}
$readable = file_exists($path);
//If not a UNC path (expected to start with \\), check read permission, see #2069
if (strpos($path, '\\\\') !== 0) {
$readable = $readable && is_readable($path);
}
return $readable;
}
/**
@ -2133,7 +2154,7 @@ class PHPMailer
// There is no English translation file
if ('en' !== $langcode) {
// Make sure language file path is readable
if (!static::isPermittedPath($lang_file) || !file_exists($lang_file)) {
if (!static::fileIsAccessible($lang_file)) {
$foundlang = false;
} else {
// Overwrite language-specific strings.
@ -2965,7 +2986,7 @@ class PHPMailer
$disposition = 'attachment'
) {
try {
if (!static::isPermittedPath($path) || !@is_file($path) || !is_readable($path)) {
if (!static::fileIsAccessible($path)) {
throw new Exception($this->lang('file_access') . $path, self::STOP_CONTINUE);
}
@ -3140,7 +3161,7 @@ class PHPMailer
protected function encodeFile($path, $encoding = self::ENCODING_BASE64)
{
try {
if (!static::isPermittedPath($path) || !file_exists($path) || !is_readable($path)) {
if (!static::fileIsAccessible($path)) {
throw new Exception($this->lang('file_open') . $path, self::STOP_CONTINUE);
}
$file_buffer = file_get_contents($path);
@ -3526,7 +3547,7 @@ class PHPMailer
$disposition = 'inline'
) {
try {
if (!static::isPermittedPath($path) || !@is_file($path) || !is_readable($path)) {
if (!static::fileIsAccessible($path)) {
throw new Exception($this->lang('file_access') . $path, self::STOP_CONTINUE);
}