--- a/wp/wp-includes/PHPMailer/PHPMailer.php Wed Sep 21 18:19:35 2022 +0200
+++ b/wp/wp-includes/PHPMailer/PHPMailer.php Tue Sep 27 16:37:53 2022 +0200
@@ -103,14 +103,14 @@
*
* @var string
*/
- public $From = 'root@localhost';
+ public $From = '';
/**
* The From name of the message.
*
* @var string
*/
- public $FromName = 'Root User';
+ public $FromName = '';
/**
* The envelope sender of the message.
@@ -358,9 +358,9 @@
public $AuthType = '';
/**
- * An instance of the PHPMailer OAuth class.
- *
- * @var OAuth
+ * An implementation of the PHPMailer OAuthTokenProvider interface.
+ *
+ * @var OAuthTokenProvider
*/
protected $oauth;
@@ -689,7 +689,7 @@
protected $boundary = [];
/**
- * The array of available languages.
+ * The array of available text strings for the current language.
*
* @var array
*/
@@ -750,7 +750,7 @@
*
* @var string
*/
- const VERSION = '6.5.0';
+ const VERSION = '6.6.0';
/**
* Error severity: message only, continue processing.
@@ -1185,28 +1185,37 @@
*
* @param string $addrstr The address list string
* @param bool $useimap Whether to use the IMAP extension to parse the list
+ * @param string $charset The charset to use when decoding the address list string.
*
* @return array
*/
- public static function parseAddresses($addrstr, $useimap = true)
+ public static function parseAddresses($addrstr, $useimap = true, $charset = self::CHARSET_ISO88591)
{
$addresses = [];
if ($useimap && function_exists('imap_rfc822_parse_adrlist')) {
//Use this built-in parser if it's available
$list = imap_rfc822_parse_adrlist($addrstr, '');
+ // Clear any potential IMAP errors to get rid of notices being thrown at end of script.
+ imap_errors();
foreach ($list as $address) {
if (
- ('.SYNTAX-ERROR.' !== $address->host) && static::validateAddress(
- $address->mailbox . '@' . $address->host
- )
+ '.SYNTAX-ERROR.' !== $address->host &&
+ static::validateAddress($address->mailbox . '@' . $address->host)
) {
//Decode the name part if it's present and encoded
if (
property_exists($address, 'personal') &&
- extension_loaded('mbstring') &&
- preg_match('/^=\?.*\?=$/', $address->personal)
+ //Check for a Mbstring constant rather than using extension_loaded, which is sometimes disabled
+ defined('MB_CASE_UPPER') &&
+ preg_match('/^=\?.*\?=$/s', $address->personal)
) {
+ $origCharset = mb_internal_encoding();
+ mb_internal_encoding($charset);
+ //Undo any RFC2047-encoded spaces-as-underscores
+ $address->personal = str_replace('_', '=20', $address->personal);
+ //Decode the name
$address->personal = mb_decode_mimeheader($address->personal);
+ mb_internal_encoding($origCharset);
}
$addresses[] = [
@@ -1234,9 +1243,16 @@
$email = trim(str_replace('>', '', $email));
$name = trim($name);
if (static::validateAddress($email)) {
+ //Check for a Mbstring constant rather than using extension_loaded, which is sometimes disabled
//If this name is encoded, decode it
- if (preg_match('/^=\?.*\?=$/', $name)) {
+ if (defined('MB_CASE_UPPER') && preg_match('/^=\?.*\?=$/s', $name)) {
+ $origCharset = mb_internal_encoding();
+ mb_internal_encoding($charset);
+ //Undo any RFC2047-encoded spaces-as-underscores
+ $name = str_replace('_', '=20', $name);
+ //Decode the name
$name = mb_decode_mimeheader($name);
+ mb_internal_encoding($origCharset);
}
$addresses[] = [
//Remove any surrounding quotes and spaces from the name
@@ -1436,7 +1452,12 @@
$errorcode = 0;
if (defined('INTL_IDNA_VARIANT_UTS46')) {
//Use the current punycode standard (appeared in PHP 7.2)
- $punycode = idn_to_ascii($domain, $errorcode, \INTL_IDNA_VARIANT_UTS46);
+ $punycode = idn_to_ascii(
+ $domain,
+ \IDNA_DEFAULT | \IDNA_USE_STD3_RULES | \IDNA_CHECK_BIDI |
+ \IDNA_CHECK_CONTEXTJ | \IDNA_NONTRANSITIONAL_TO_ASCII,
+ \INTL_IDNA_VARIANT_UTS46
+ );
} elseif (defined('INTL_IDNA_VARIANT_2003')) {
//Fall back to this old, deprecated/removed encoding
// phpcs:ignore PHPCompatibility.Constants.RemovedConstants.intl_idna_variant_2003Deprecated
@@ -1510,12 +1531,7 @@
&& ini_get('mail.add_x_header') === '1'
&& stripos(PHP_OS, 'WIN') === 0
) {
- trigger_error(
- 'Your version of PHP is affected by a bug that may result in corrupted messages.' .
- ' To fix it, switch to sending using SMTP, disable the mail.add_x_header option in' .
- ' your php.ini, switch to MacOS or Linux, or upgrade your PHP to version 7.0.17+ or 7.1.3+.',
- E_USER_WARNING
- );
+ trigger_error($this->lang('buggy_php'), E_USER_WARNING);
}
try {
@@ -1689,7 +1705,10 @@
//Sendmail docs: http://www.sendmail.org/~ca/email/man/sendmail.html
//Qmail docs: http://www.qmail.org/man/man8/qmail-inject.html
//Example problem: https://www.drupal.org/node/1057954
- if (empty($this->Sender) && !empty(ini_get('sendmail_from'))) {
+
+ //PHP 5.6 workaround
+ $sendmail_from_value = ini_get('sendmail_from');
+ if (empty($this->Sender) && !empty($sendmail_from_value)) {
//PHP config has a sender address we can use
$this->Sender = ini_get('sendmail_from');
}
@@ -1726,7 +1745,7 @@
fwrite($mail, $header);
fwrite($mail, $body);
$result = pclose($mail);
- $addrinfo = static::parseAddresses($toAddr);
+ $addrinfo = static::parseAddresses($toAddr, true, $this->CharSet);
$this->doCallback(
($result === 0),
[[$addrinfo['address'], $addrinfo['name']]],
@@ -1781,7 +1800,13 @@
*/
protected static function isShellSafe($string)
{
- //Future-proof
+ //It's not possible to use shell commands safely (which includes the mail() function) without escapeshellarg,
+ //but some hosting providers disable it, creating a security problem that we don't want to have to deal with,
+ //so we don't.
+ if (!function_exists('escapeshellarg') || !function_exists('escapeshellcmd')) {
+ return false;
+ }
+
if (
escapeshellcmd($string) !== $string
|| !in_array(escapeshellarg($string), ["'$string'", "\"$string\""])
@@ -1871,7 +1896,10 @@
//Qmail docs: http://www.qmail.org/man/man8/qmail-inject.html
//Example problem: https://www.drupal.org/node/1057954
//CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
- if (empty($this->Sender) && !empty(ini_get('sendmail_from'))) {
+
+ //PHP 5.6 workaround
+ $sendmail_from_value = ini_get('sendmail_from');
+ if (empty($this->Sender) && !empty($sendmail_from_value)) {
//PHP config has a sender address we can use
$this->Sender = ini_get('sendmail_from');
}
@@ -1886,7 +1914,7 @@
if ($this->SingleTo && count($toArr) > 1) {
foreach ($toArr as $toAddr) {
$result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params);
- $addrinfo = static::parseAddresses($toAddr);
+ $addrinfo = static::parseAddresses($toAddr, true, $this->CharSet);
$this->doCallback(
$result,
[[$addrinfo['address'], $addrinfo['name']]],
@@ -2135,7 +2163,8 @@
}
if ($tls) {
if (!$this->smtp->startTLS()) {
- throw new Exception($this->lang('connect_host'));
+ $message = $this->getSmtpErrorMessage('connect_host');
+ throw new Exception($message);
}
//We must resend EHLO after TLS negotiation
$this->smtp->hello($hello);
@@ -2165,6 +2194,10 @@
//As we've caught all exceptions, just report whatever the last one was
if ($this->exceptions && null !== $lastexception) {
throw $lastexception;
+ } elseif ($this->exceptions) {
+ // no exception was thrown, likely $this->smtp->connect() failed
+ $message = $this->getSmtpErrorMessage('connect_host');
+ throw new Exception($message);
}
return false;
@@ -2183,14 +2216,15 @@
/**
* Set the language for error messages.
- * Returns false if it cannot load the language file.
* The default language is English.
*
* @param string $langcode ISO 639-1 2-character language code (e.g. French is "fr")
- * @param string $lang_path Path to the language file directory, with trailing separator (slash).D
+ * Optionally, the language code can be enhanced with a 4-character
+ * script annotation and/or a 2-character country annotation.
+ * @param string $lang_path Path to the language file directory, with trailing separator (slash)
* Do not set this from user input!
*
- * @return bool
+ * @return bool Returns true if the requested language was loaded, false otherwise.
*/
public function setLanguage($langcode = 'en', $lang_path = '')
{
@@ -2213,44 +2247,77 @@
//Define full set of translatable strings in English
$PHPMAILER_LANG = [
'authenticate' => 'SMTP Error: Could not authenticate.',
+ 'buggy_php' => 'Your version of PHP is affected by a bug that may result in corrupted messages.' .
+ ' To fix it, switch to sending using SMTP, disable the mail.add_x_header option in' .
+ ' your php.ini, switch to MacOS or Linux, or upgrade your PHP to version 7.0.17+ or 7.1.3+.',
'connect_host' => 'SMTP Error: Could not connect to SMTP host.',
'data_not_accepted' => 'SMTP Error: data not accepted.',
'empty_message' => 'Message body empty',
'encoding' => 'Unknown encoding: ',
'execute' => 'Could not execute: ',
+ 'extension_missing' => 'Extension missing: ',
'file_access' => 'Could not access file: ',
'file_open' => 'File Error: Could not open file: ',
'from_failed' => 'The following From address failed: ',
'instantiate' => 'Could not instantiate mail function.',
'invalid_address' => 'Invalid address: ',
+ 'invalid_header' => 'Invalid header name or value',
'invalid_hostentry' => 'Invalid hostentry: ',
'invalid_host' => 'Invalid host: ',
'mailer_not_supported' => ' mailer is not supported.',
'provide_address' => 'You must provide at least one recipient email address.',
'recipients_failed' => 'SMTP Error: The following recipients failed: ',
'signing' => 'Signing Error: ',
+ 'smtp_code' => 'SMTP code: ',
+ 'smtp_code_ex' => 'Additional SMTP info: ',
'smtp_connect_failed' => 'SMTP connect() failed.',
+ 'smtp_detail' => 'Detail: ',
'smtp_error' => 'SMTP server error: ',
'variable_set' => 'Cannot set or reset variable: ',
- 'extension_missing' => 'Extension missing: ',
];
if (empty($lang_path)) {
//Calculate an absolute path so it can work if CWD is not here
$lang_path = dirname(__DIR__) . DIRECTORY_SEPARATOR . 'language' . DIRECTORY_SEPARATOR;
}
+
//Validate $langcode
- if (!preg_match('/^[a-z]{2}(?:_[a-zA-Z]{2})?$/', $langcode)) {
+ $foundlang = true;
+ $langcode = strtolower($langcode);
+ if (
+ !preg_match('/^(?P<lang>[a-z]{2})(?P<script>_[a-z]{4})?(?P<country>_[a-z]{2})?$/', $langcode, $matches)
+ && $langcode !== 'en'
+ ) {
+ $foundlang = false;
$langcode = 'en';
}
- $foundlang = true;
- $lang_file = $lang_path . 'phpmailer.lang-' . $langcode . '.php';
+
//There is no English translation file
if ('en' !== $langcode) {
- //Make sure language file path is readable
- if (!static::fileIsAccessible($lang_file)) {
+ $langcodes = [];
+ if (!empty($matches['script']) && !empty($matches['country'])) {
+ $langcodes[] = $matches['lang'] . $matches['script'] . $matches['country'];
+ }
+ if (!empty($matches['country'])) {
+ $langcodes[] = $matches['lang'] . $matches['country'];
+ }
+ if (!empty($matches['script'])) {
+ $langcodes[] = $matches['lang'] . $matches['script'];
+ }
+ $langcodes[] = $matches['lang'];
+
+ //Try and find a readable language file for the requested language.
+ $foundFile = false;
+ foreach ($langcodes as $code) {
+ $lang_file = $lang_path . 'phpmailer.lang-' . $code . '.php';
+ if (static::fileIsAccessible($lang_file)) {
+ $foundFile = true;
+ break;
+ }
+ }
+
+ if ($foundFile === false) {
$foundlang = false;
} else {
- //$foundlang = include $lang_file;
$lines = file($lang_file);
foreach ($lines as $line) {
//Translation file lines look like this:
@@ -2285,6 +2352,10 @@
*/
public function getTranslations()
{
+ if (empty($this->language)) {
+ $this->setLanguage(); // Set the default language.
+ }
+
return $this->language;
}
@@ -2553,7 +2624,17 @@
//Only allow a custom message ID if it conforms to RFC 5322 section 3.6.4
//https://tools.ietf.org/html/rfc5322#section-3.6.4
- if ('' !== $this->MessageID && preg_match('/^<.*@.*>$/', $this->MessageID)) {
+ if (
+ '' !== $this->MessageID &&
+ preg_match(
+ '/^<((([a-z\d!#$%&\'*+\/=?^_`{|}~-]+(\.[a-z\d!#$%&\'*+\/=?^_`{|}~-]+)*)' .
+ '|("(([\x01-\x08\x0B\x0C\x0E-\x1F\x7F]|[\x21\x23-\x5B\x5D-\x7E])' .
+ '|(\\[\x01-\x09\x0B\x0C\x0E-\x7F]))*"))@(([a-z\d!#$%&\'*+\/=?^_`{|}~-]+' .
+ '(\.[a-z\d!#$%&\'*+\/=?^_`{|}~-]+)*)|(\[(([\x01-\x08\x0B\x0C\x0E-\x1F\x7F]' .
+ '|[\x21-\x5A\x5E-\x7E])|(\\[\x01-\x09\x0B\x0C\x0E-\x7F]))*\])))>$/Di',
+ $this->MessageID
+ )
+ ) {
$this->lastMessageID = $this->MessageID;
} else {
$this->lastMessageID = sprintf('<%s@%s>', $this->uniqueid, $this->serverHostname());
@@ -2563,16 +2644,15 @@
$result .= $this->headerLine('X-Priority', $this->Priority);
}
if ('' === $this->XMailer) {
+ //Empty string for default X-Mailer header
$result .= $this->headerLine(
'X-Mailer',
'PHPMailer ' . self::VERSION . ' (https://github.com/PHPMailer/PHPMailer)'
);
- } else {
- $myXmailer = trim($this->XMailer);
- if ($myXmailer) {
- $result .= $this->headerLine('X-Mailer', $myXmailer);
- }
- }
+ } elseif (is_string($this->XMailer) && trim($this->XMailer) !== '') {
+ //Some string
+ $result .= $this->headerLine('X-Mailer', trim($this->XMailer));
+ } //Other values result in no X-Mailer header
if ('' !== $this->ConfirmReadingTo) {
$result .= $this->headerLine('Disposition-Notification-To', '<' . $this->ConfirmReadingTo . '>');
@@ -3937,13 +4017,13 @@
if (!empty($lasterror['error'])) {
$msg .= $this->lang('smtp_error') . $lasterror['error'];
if (!empty($lasterror['detail'])) {
- $msg .= ' Detail: ' . $lasterror['detail'];
+ $msg .= ' ' . $this->lang('smtp_detail') . $lasterror['detail'];
}
if (!empty($lasterror['smtp_code'])) {
- $msg .= ' SMTP code: ' . $lasterror['smtp_code'];
+ $msg .= ' ' . $this->lang('smtp_code') . $lasterror['smtp_code'];
}
if (!empty($lasterror['smtp_code_ex'])) {
- $msg .= ' Additional SMTP info: ' . $lasterror['smtp_code_ex'];
+ $msg .= ' ' . $this->lang('smtp_code_ex') . $lasterror['smtp_code_ex'];
}
}
}
@@ -4004,7 +4084,7 @@
empty($host)
|| !is_string($host)
|| strlen($host) > 256
- || !preg_match('/^([a-zA-Z\d.-]*|\[[a-fA-F\d:]+])$/', $host)
+ || !preg_match('/^([a-zA-Z\d.-]*|\[[a-fA-F\d:]+\])$/', $host)
) {
return false;
}
@@ -4055,6 +4135,26 @@
}
/**
+ * Build an error message starting with a generic one and adding details if possible.
+ *
+ * @param string $base_key
+ * @return string
+ */
+ private function getSmtpErrorMessage($base_key)
+ {
+ $message = $this->lang($base_key);
+ $error = $this->smtp->getError();
+ if (!empty($error['error'])) {
+ $message .= ' ' . $error['error'];
+ if (!empty($error['detail'])) {
+ $message .= ' ' . $error['detail'];
+ }
+ }
+
+ return $message;
+ }
+
+ /**
* Check if an error occurred.
*
* @return bool True if an error did occur
@@ -4081,11 +4181,11 @@
list($name, $value) = explode(':', $name, 2);
}
$name = trim($name);
- $value = trim($value);
+ $value = (null === $value) ? '' : trim($value);
//Ensure name is not empty, and that neither name nor value contain line breaks
if (empty($name) || strpbrk($name . $value, "\r\n") !== false) {
if ($this->exceptions) {
- throw new Exception('Invalid header name or value');
+ throw new Exception($this->lang('invalid_header'));
}
return false;
@@ -4239,7 +4339,8 @@
*
* @param string $html The HTML text to convert
* @param bool|callable $advanced Any boolean value to use the internal converter,
- * or provide your own callable for custom conversion
+ * or provide your own callable for custom conversion.
+ * *Never* pass user-supplied data into this parameter
*
* @return string
*/
@@ -4953,9 +5054,9 @@
}
/**
- * Get the OAuth instance.
- *
- * @return OAuth
+ * Get the OAuthTokenProvider instance.
+ *
+ * @return OAuthTokenProvider
*/
public function getOAuth()
{
@@ -4963,9 +5064,9 @@
}
/**
- * Set an OAuth instance.
- */
- public function setOAuth(OAuth $oauth)
+ * Set an OAuthTokenProvider instance.
+ */
+ public function setOAuth(OAuthTokenProvider $oauth)
{
$this->oauth = $oauth;
}