enmi-conf.org: comparison wp/wp-includes/PHPMailer/PHPMailer.php

equal deleted inserted replaced

-:be944660c56a
+:3d72ae0968f4
 /**
 * The From email address for the message.
 *
 * @var string
 */
-public $From = 'root@localhost';
+public $From = '';
 /**
 * The From name of the message.
 *
 * @var string
 */
-public $FromName = 'Root User';
+public $FromName = '';
 /**
 * The envelope sender of the message.
 * This will usually be turned into a Return-Path header by the receiver,
 * and is the address that bounces will be sent to.
 * @var string
 */
 public $AuthType = '';
 /**
-* An instance of the PHPMailer OAuth class.
+* An implementation of the PHPMailer OAuthTokenProvider interface.
 *
-* @var OAuth
+* @var OAuthTokenProvider
 */
 protected $oauth;
 /**
 * The SMTP server timeout in seconds.
 * @var array
 */
 protected $boundary = [];
 /**
-* The array of available languages.
+* The array of available text strings for the current language.
 *
 * @var array
 */
 protected $language = [];
 /**
 * The PHPMailer Version number.
 *
 * @var string
 */
-const VERSION = '6.5.0';
+const VERSION = '6.6.0';
 /**
 * Error severity: message only, continue processing.
 *
 * @var int
 *
 * @see http://www.andrew.cmu.edu/user/agreen1/testing/mrbs/web/Mail/RFC822.php A more careful implementation
 *
 * @param string $addrstr The address list string
 * @param bool   $useimap Whether to use the IMAP extension to parse the list
+* @param string $charset The charset to use when decoding the address list string.
 *
 * @return array
 */
-public static function parseAddresses($addrstr, $useimap = true)
+public static function parseAddresses($addrstr, $useimap = true, $charset = self::CHARSET_ISO88591)
 {
 $addresses = [];
 if ($useimap && function_exists('imap_rfc822_parse_adrlist')) {
 //Use this built-in parser if it's available
 $list = imap_rfc822_parse_adrlist($addrstr, '');
+// Clear any potential IMAP errors to get rid of notices being thrown at end of script.
+imap_errors();
 foreach ($list as $address) {
 if (
-('.SYNTAX-ERROR.' !== $address->host) && static::validateAddress(
+'.SYNTAX-ERROR.' !== $address->host &&
-$address->mailbox . '@' . $address->host
+static::validateAddress($address->mailbox . '@' . $address->host)
-)
 ) {
 //Decode the name part if it's present and encoded
 if (
 property_exists($address, 'personal') &&
-extension_loaded('mbstring') &&
+//Check for a Mbstring constant rather than using extension_loaded, which is sometimes disabled
-preg_match('/^=\?.*\?=$/', $address->personal)
+defined('MB_CASE_UPPER') &&
+preg_match('/^=\?.*\?=$/s', $address->personal)
 ) {
+$origCharset = mb_internal_encoding();
+mb_internal_encoding($charset);
+//Undo any RFC2047-encoded spaces-as-underscores
+$address->personal = str_replace('_', '=20', $address->personal);
+//Decode the name
 $address->personal = mb_decode_mimeheader($address->personal);
+mb_internal_encoding($origCharset);
 }
 $addresses[] = [
 'name' => (property_exists($address, 'personal') ? $address->personal : ''),
 'address' => $address->mailbox . '@' . $address->host,
 } else {
 list($name, $email) = explode('<', $address);
 $email = trim(str_replace('>', '', $email));
 $name = trim($name);
 if (static::validateAddress($email)) {
+//Check for a Mbstring constant rather than using extension_loaded, which is sometimes disabled
 //If this name is encoded, decode it
-if (preg_match('/^=\?.*\?=$/', $name)) {
+if (defined('MB_CASE_UPPER') && preg_match('/^=\?.*\?=$/s', $name)) {
+$origCharset = mb_internal_encoding();
+mb_internal_encoding($charset);
+//Undo any RFC2047-encoded spaces-as-underscores
+$name = str_replace('_', '=20', $name);
+//Decode the name
 $name = mb_decode_mimeheader($name);
+mb_internal_encoding($origCharset);
 }
 $addresses[] = [
 //Remove any surrounding quotes and spaces from the name
 'name' => trim($name, '\'" '),
 'address' => $email,
 $domain = mb_convert_encoding($domain, self::CHARSET_UTF8, $this->CharSet);
 //Ignore IDE complaints about this line - method signature changed in PHP 5.4
 $errorcode = 0;
 if (defined('INTL_IDNA_VARIANT_UTS46')) {
 //Use the current punycode standard (appeared in PHP 7.2)
-$punycode = idn_to_ascii($domain, $errorcode, \INTL_IDNA_VARIANT_UTS46);
+$punycode = idn_to_ascii(
+$domain,
+\IDNA_DEFAULT | \IDNA_USE_STD3_RULES | \IDNA_CHECK_BIDI |
+\IDNA_CHECK_CONTEXTJ | \IDNA_NONTRANSITIONAL_TO_ASCII,
+\INTL_IDNA_VARIANT_UTS46
+);
 } elseif (defined('INTL_IDNA_VARIANT_2003')) {
 //Fall back to this old, deprecated/removed encoding
 // phpcs:ignore PHPCompatibility.Constants.RemovedConstants.intl_idna_variant_2003Deprecated
 $punycode = idn_to_ascii($domain, $errorcode, \INTL_IDNA_VARIANT_2003);
 } else {
 && ((\PHP_VERSION_ID >= 70000 && \PHP_VERSION_ID < 70017)
 || (\PHP_VERSION_ID >= 70100 && \PHP_VERSION_ID < 70103))
 && ini_get('mail.add_x_header') === '1'
 && stripos(PHP_OS, 'WIN') === 0
 ) {
-trigger_error(
+trigger_error($this->lang('buggy_php'), E_USER_WARNING);
-'Your version of PHP is affected by a bug that may result in corrupted messages.' .
-' To fix it, switch to sending using SMTP, disable the mail.add_x_header option in' .
-' your php.ini, switch to MacOS or Linux, or upgrade your PHP to version 7.0.17+ or 7.1.3+.',
-E_USER_WARNING
-);
 }
 try {
 $this->error_count = 0; //Reset errors
 $this->mailHeader = '';
 //causing problems, so we don't use one
 //Exim docs: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_command_line.html
 //Sendmail docs: http://www.sendmail.org/~ca/email/man/sendmail.html
 //Qmail docs: http://www.qmail.org/man/man8/qmail-inject.html
 //Example problem: https://www.drupal.org/node/1057954
-if (empty($this->Sender) && !empty(ini_get('sendmail_from'))) {
+//PHP 5.6 workaround
+$sendmail_from_value = ini_get('sendmail_from');
+if (empty($this->Sender) && !empty($sendmail_from_value)) {
 //PHP config has a sender address we can use
 $this->Sender = ini_get('sendmail_from');
 }
 //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
 if (!empty($this->Sender) && static::validateAddress($this->Sender) && self::isShellSafe($this->Sender)) {
 $this->edebug("To: {$toAddr}");
 fwrite($mail, 'To: ' . $toAddr . "\n");
 fwrite($mail, $header);
 fwrite($mail, $body);
 $result = pclose($mail);
-$addrinfo = static::parseAddresses($toAddr);
+$addrinfo = static::parseAddresses($toAddr, true, $this->CharSet);
 $this->doCallback(
 ($result === 0),
 [[$addrinfo['address'], $addrinfo['name']]],
 $this->cc,
 $this->bcc,
 *
 * @return bool
 */
 protected static function isShellSafe($string)
 {
-//Future-proof
+//It's not possible to use shell commands safely (which includes the mail() function) without escapeshellarg,
+//but some hosting providers disable it, creating a security problem that we don't want to have to deal with,
+//so we don't.
+if (!function_exists('escapeshellarg') || !function_exists('escapeshellcmd')) {
+return false;
+}
 if (
 escapeshellcmd($string) !== $string
 || !in_array(escapeshellarg($string), ["'$string'", "\"$string\""])
 ) {
 return false;
 //Exim docs: http://www.exim.org/exim-html-current/doc/html/spec_html/ch-the_exim_command_line.html
 //Sendmail docs: http://www.sendmail.org/~ca/email/man/sendmail.html
 //Qmail docs: http://www.qmail.org/man/man8/qmail-inject.html
 //Example problem: https://www.drupal.org/node/1057954
 //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
-if (empty($this->Sender) && !empty(ini_get('sendmail_from'))) {
+//PHP 5.6 workaround
+$sendmail_from_value = ini_get('sendmail_from');
+if (empty($this->Sender) && !empty($sendmail_from_value)) {
 //PHP config has a sender address we can use
 $this->Sender = ini_get('sendmail_from');
 }
 if (!empty($this->Sender) && static::validateAddress($this->Sender)) {
 if (self::isShellSafe($this->Sender)) {
 }
 $result = false;
 if ($this->SingleTo && count($toArr) > 1) {
 foreach ($toArr as $toAddr) {
 $result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params);
-$addrinfo = static::parseAddresses($toAddr);
+$addrinfo = static::parseAddresses($toAddr, true, $this->CharSet);
 $this->doCallback(
 $result,
 [[$addrinfo['address'], $addrinfo['name']]],
 $this->cc,
 $this->bcc,
 if ($this->SMTPAutoTLS && $sslext && 'ssl' !== $secure && $this->smtp->getServerExt('STARTTLS')) {
 $tls = true;
 }
 if ($tls) {
 if (!$this->smtp->startTLS()) {
-throw new Exception($this->lang('connect_host'));
+$message = $this->getSmtpErrorMessage('connect_host');
+throw new Exception($message);
 }
 //We must resend EHLO after TLS negotiation
 $this->smtp->hello($hello);
 }
 if (
 //If we get here, all connection attempts have failed, so close connection hard
 $this->smtp->close();
 //As we've caught all exceptions, just report whatever the last one was
 if ($this->exceptions && null !== $lastexception) {
 throw $lastexception;
+} elseif ($this->exceptions) {
+// no exception was thrown, likely $this->smtp->connect() failed
+$message = $this->getSmtpErrorMessage('connect_host');
+throw new Exception($message);
 }
 return false;
 }
 }
 }
 /**
 * Set the language for error messages.
-* Returns false if it cannot load the language file.
 * The default language is English.
 *
 * @param string $langcode  ISO 639-1 2-character language code (e.g. French is "fr")
-* @param string $lang_path Path to the language file directory, with trailing separator (slash).D
+*                          Optionally, the language code can be enhanced with a 4-character
+*                          script annotation and/or a 2-character country annotation.
+* @param string $lang_path Path to the language file directory, with trailing separator (slash)
 *                          Do not set this from user input!
 *
-* @return bool
+* @return bool Returns true if the requested language was loaded, false otherwise.
 */
 public function setLanguage($langcode = 'en', $lang_path = '')
 {
 //Backwards compatibility for renamed language codes
 $renamed_langcodes = [
 }
 //Define full set of translatable strings in English
 $PHPMAILER_LANG = [
 'authenticate' => 'SMTP Error: Could not authenticate.',
+'buggy_php' => 'Your version of PHP is affected by a bug that may result in corrupted messages.' .
+' To fix it, switch to sending using SMTP, disable the mail.add_x_header option in' .
+' your php.ini, switch to MacOS or Linux, or upgrade your PHP to version 7.0.17+ or 7.1.3+.',
 'connect_host' => 'SMTP Error: Could not connect to SMTP host.',
 'data_not_accepted' => 'SMTP Error: data not accepted.',
 'empty_message' => 'Message body empty',
 'encoding' => 'Unknown encoding: ',
 'execute' => 'Could not execute: ',
+'extension_missing' => 'Extension missing: ',
 'file_access' => 'Could not access file: ',
 'file_open' => 'File Error: Could not open file: ',
 'from_failed' => 'The following From address failed: ',
 'instantiate' => 'Could not instantiate mail function.',
 'invalid_address' => 'Invalid address: ',
+'invalid_header' => 'Invalid header name or value',
 'invalid_hostentry' => 'Invalid hostentry: ',
 'invalid_host' => 'Invalid host: ',
 'mailer_not_supported' => ' mailer is not supported.',
 'provide_address' => 'You must provide at least one recipient email address.',
 'recipients_failed' => 'SMTP Error: The following recipients failed: ',
 'signing' => 'Signing Error: ',
+'smtp_code' => 'SMTP code: ',
+'smtp_code_ex' => 'Additional SMTP info: ',
 'smtp_connect_failed' => 'SMTP connect() failed.',
+'smtp_detail' => 'Detail: ',
 'smtp_error' => 'SMTP server error: ',
 'variable_set' => 'Cannot set or reset variable: ',
-'extension_missing' => 'Extension missing: ',
 ];
 if (empty($lang_path)) {
 //Calculate an absolute path so it can work if CWD is not here
 $lang_path = dirname(__DIR__) . DIRECTORY_SEPARATOR . 'language' . DIRECTORY_SEPARATOR;
 }
 //Validate $langcode
-if (!preg_match('/^[a-z]{2}(?:_[a-zA-Z]{2})?$/', $langcode)) {
+$foundlang = true;
+$langcode  = strtolower($langcode);
+if (
+!preg_match('/^(?P<lang>[a-z]{2})(?P<script>_[a-z]{4})?(?P<country>_[a-z]{2})?$/', $langcode, $matches)
+&& $langcode !== 'en'
+) {
+$foundlang = false;
 $langcode = 'en';
 }
-$foundlang = true;
-$lang_file = $lang_path . 'phpmailer.lang-' . $langcode . '.php';
 //There is no English translation file
 if ('en' !== $langcode) {
-//Make sure language file path is readable
+$langcodes = [];
-if (!static::fileIsAccessible($lang_file)) {
+if (!empty($matches['script']) && !empty($matches['country'])) {
+$langcodes[] = $matches['lang'] . $matches['script'] . $matches['country'];
+}
+if (!empty($matches['country'])) {
+$langcodes[] = $matches['lang'] . $matches['country'];
+}
+if (!empty($matches['script'])) {
+$langcodes[] = $matches['lang'] . $matches['script'];
+}
+$langcodes[] = $matches['lang'];
+//Try and find a readable language file for the requested language.
+$foundFile = false;
+foreach ($langcodes as $code) {
+$lang_file = $lang_path . 'phpmailer.lang-' . $code . '.php';
+if (static::fileIsAccessible($lang_file)) {
+$foundFile = true;
+break;
+}
+}
+if ($foundFile === false) {
 $foundlang = false;
 } else {
-//$foundlang = include $lang_file;
 $lines = file($lang_file);
 foreach ($lines as $line) {
 //Translation file lines look like this:
 //$PHPMAILER_LANG['authenticate'] = 'SMTP-Fehler: Authentifizierung fehlgeschlagen.';
 //These files are parsed as text and not PHP so as to avoid the possibility of code injection
 *
 * @return array
 */
 public function getTranslations()
 {
+if (empty($this->language)) {
+$this->setLanguage(); // Set the default language.
+}
 return $this->language;
 }
 /**
 * Create recipient headers.
 $result .= $this->headerLine('Subject', $this->encodeHeader($this->secureHeader($this->Subject)));
 }
 //Only allow a custom message ID if it conforms to RFC 5322 section 3.6.4
 //https://tools.ietf.org/html/rfc5322#section-3.6.4
-if ('' !== $this->MessageID && preg_match('/^<.*@.*>$/', $this->MessageID)) {
+if (
+'' !== $this->MessageID &&
+preg_match(
+'/^<((([a-z\d!#$%&\'*+\/=?^_`{|}~-]+(\.[a-z\d!#$%&\'*+\/=?^_`{|}~-]+)*)' .
+'|("(([\x01-\x08\x0B\x0C\x0E-\x1F\x7F]|[\x21\x23-\x5B\x5D-\x7E])' .
+'|(\\[\x01-\x09\x0B\x0C\x0E-\x7F]))*"))@(([a-z\d!#$%&\'*+\/=?^_`{|}~-]+' .
+'(\.[a-z\d!#$%&\'*+\/=?^_`{|}~-]+)*)|(\[(([\x01-\x08\x0B\x0C\x0E-\x1F\x7F]' .
+'|[\x21-\x5A\x5E-\x7E])|(\\[\x01-\x09\x0B\x0C\x0E-\x7F]))*\])))>$/Di',
+$this->MessageID
+)
+) {
 $this->lastMessageID = $this->MessageID;
 } else {
 $this->lastMessageID = sprintf('<%s@%s>', $this->uniqueid, $this->serverHostname());
 }
 $result .= $this->headerLine('Message-ID', $this->lastMessageID);
 if (null !== $this->Priority) {
 $result .= $this->headerLine('X-Priority', $this->Priority);
 }
 if ('' === $this->XMailer) {
+//Empty string for default X-Mailer header
 $result .= $this->headerLine(
 'X-Mailer',
 'PHPMailer ' . self::VERSION . ' (https://github.com/PHPMailer/PHPMailer)'
 );
-} else {
+} elseif (is_string($this->XMailer) && trim($this->XMailer) !== '') {
-$myXmailer = trim($this->XMailer);
+//Some string
-if ($myXmailer) {
+$result .= $this->headerLine('X-Mailer', trim($this->XMailer));
-$result .= $this->headerLine('X-Mailer', $myXmailer);
+} //Other values result in no X-Mailer header
-}
-}
 if ('' !== $this->ConfirmReadingTo) {
 $result .= $this->headerLine('Disposition-Notification-To', '<' . $this->ConfirmReadingTo . '>');
 }
 if ('smtp' === $this->Mailer && null !== $this->smtp) {
 $lasterror = $this->smtp->getError();
 if (!empty($lasterror['error'])) {
 $msg .= $this->lang('smtp_error') . $lasterror['error'];
 if (!empty($lasterror['detail'])) {
-$msg .= ' Detail: ' . $lasterror['detail'];
+$msg .= ' ' . $this->lang('smtp_detail') . $lasterror['detail'];
 }
 if (!empty($lasterror['smtp_code'])) {
-$msg .= ' SMTP code: ' . $lasterror['smtp_code'];
+$msg .= ' ' . $this->lang('smtp_code') . $lasterror['smtp_code'];
 }
 if (!empty($lasterror['smtp_code_ex'])) {
-$msg .= ' Additional SMTP info: ' . $lasterror['smtp_code_ex'];
+$msg .= ' ' . $this->lang('smtp_code_ex') . $lasterror['smtp_code_ex'];
 }
 }
 }
 $this->ErrorInfo = $msg;
 }
 //Simple syntax limits
 if (
 empty($host)
 || !is_string($host)
 || strlen($host) > 256
-|| !preg_match('/^([a-zA-Z\d.-]*|\[[a-fA-F\d:]+])$/', $host)
+|| !preg_match('/^([a-zA-Z\d.-]*|\[[a-fA-F\d:]+\])$/', $host)
 ) {
 return false;
 }
 //Looks like a bracketed IPv6 address
 if (strlen($host) > 2 && substr($host, 0, 1) === '[' && substr($host, -1, 1) === ']') {
 //Return the key as a fallback
 return $key;
 }
 /**
+* Build an error message starting with a generic one and adding details if possible.
+*
+* @param string $base_key
+* @return string
+*/
+private function getSmtpErrorMessage($base_key)
+{
+$message = $this->lang($base_key);
+$error = $this->smtp->getError();
+if (!empty($error['error'])) {
+$message .= ' ' . $error['error'];
+if (!empty($error['detail'])) {
+$message .= ' ' . $error['detail'];
+}
+}
+return $message;
+}
+/**
 * Check if an error occurred.
 *
 * @return bool True if an error did occur
 */
 public function isError()
 if (null === $value && strpos($name, ':') !== false) {
 //Value passed in as name:value
 list($name, $value) = explode(':', $name, 2);
 }
 $name = trim($name);
-$value = trim($value);
+$value = (null === $value) ? '' : trim($value);
 //Ensure name is not empty, and that neither name nor value contain line breaks
 if (empty($name) || strpbrk($name . $value, "\r\n") !== false) {
 if ($this->exceptions) {
-throw new Exception('Invalid header name or value');
+throw new Exception($this->lang('invalid_header'));
 }
 return false;
 }
 $this->CustomHeader[] = [$name, $value];
 * });
 * ```
 *
 * @param string        $html     The HTML text to convert
 * @param bool|callable $advanced Any boolean value to use the internal converter,
-*                                or provide your own callable for custom conversion
+*                                or provide your own callable for custom conversion.
+*                                *Never* pass user-supplied data into this parameter
 *
 * @return string
 */
 public function html2text($html, $advanced = false)
 {
 call_user_func($this->action_function, $isSent, $to, $cc, $bcc, $subject, $body, $from, $extra);
 }
 }
 /**
-* Get the OAuth instance.
+* Get the OAuthTokenProvider instance.
 *
-* @return OAuth
+* @return OAuthTokenProvider
 */
 public function getOAuth()
 {
 return $this->oauth;
 }
 /**
-* Set an OAuth instance.
+* Set an OAuthTokenProvider instance.
 */
-public function setOAuth(OAuth $oauth)
+public function setOAuth(OAuthTokenProvider $oauth)
 {
 $this->oauth = $oauth;
 }
 }

changeset 19	3d72ae0968f4
parent 18	be944660c56a
child 21	48c4eec2b7e6