From 0ed33daab60ace4d3001a2037ae9904b0d388818 Mon Sep 17 00:00:00 2001 From: Marcus Bointon Date: Wed, 14 Nov 2018 16:06:01 +0100 Subject: [PATCH 1/6] Merge Serbian translation changes, fix incorrect ISO639 code and mapping, see #1598 --- language/phpmailer.lang-rs.php | 26 -------------------------- language/phpmailer.lang-sr.php | 1 + src/PHPMailer.php | 2 +- 3 files changed, 2 insertions(+), 27 deletions(-) delete mode 100644 language/phpmailer.lang-rs.php diff --git a/language/phpmailer.lang-rs.php b/language/phpmailer.lang-rs.php deleted file mode 100644 index 0502f021..00000000 --- a/language/phpmailer.lang-rs.php +++ /dev/null @@ -1,26 +0,0 @@ - - */ - -$PHPMAILER_LANG['authenticate'] = 'SMTP грешка: аутентификација није успела.'; -$PHPMAILER_LANG['connect_host'] = 'SMTP грешка: није могуће повезивање са SMTP сервером.'; -$PHPMAILER_LANG['data_not_accepted'] = 'SMTP грешка: подаци нису прихваћени.'; -$PHPMAILER_LANG['empty_message'] = 'Садржај поруке је празан.'; -$PHPMAILER_LANG['encoding'] = 'Непознато кодовање: '; -$PHPMAILER_LANG['execute'] = 'Није могуће извршити наредбу: '; -$PHPMAILER_LANG['file_access'] = 'Није могуће приступити датотеци: '; -$PHPMAILER_LANG['file_open'] = 'Није могуће отворити датотеку: '; -$PHPMAILER_LANG['from_failed'] = 'SMTP грешка: слање са следећих адреса није успело: '; -$PHPMAILER_LANG['recipients_failed'] = 'SMTP грешка: слање на следеће адресе није успело: '; -$PHPMAILER_LANG['instantiate'] = 'Није могуће покренути mail функцију.'; -$PHPMAILER_LANG['invalid_address'] = 'Порука није послата због неисправне адресе: '; -$PHPMAILER_LANG['mailer_not_supported'] = ' мејлер није подржан.'; -$PHPMAILER_LANG['provide_address'] = 'Потребно је задати најмање једну адресу.'; -$PHPMAILER_LANG['signing'] = 'Грешка приликом пријављивања: '; -$PHPMAILER_LANG['smtp_connect_failed'] = 'Повезивање са SMTP сервером није успело.'; -$PHPMAILER_LANG['smtp_error'] = 'Грешка SMTP сервера: '; -$PHPMAILER_LANG['variable_set'] = 'Није могуће задати променљиву, нити је вратити уназад: '; -$PHPMAILER_LANG['extension_missing'] = 'Недостаје проширење: '; diff --git a/language/phpmailer.lang-sr.php b/language/phpmailer.lang-sr.php index b6bfdd0f..34c1e182 100644 --- a/language/phpmailer.lang-sr.php +++ b/language/phpmailer.lang-sr.php @@ -2,6 +2,7 @@ /** * Serbian PHPMailer language file: refer to English translation for definitive list * @package PHPMailer + * @author Александар Јевремовић * @author Miloš Milanović */ diff --git a/src/PHPMailer.php b/src/PHPMailer.php index fd8f1ece..61ed5191 100644 --- a/src/PHPMailer.php +++ b/src/PHPMailer.php @@ -1995,7 +1995,7 @@ class PHPMailer 'dk' => 'da', 'no' => 'nb', 'se' => 'sv', - 'sr' => 'rs', + 'rs' => 'sr', 'tg' => 'tl', ]; From 8e653bb79643abad30ae60b1aad6966c0810b896 Mon Sep 17 00:00:00 2001 From: Marcus Bointon Date: Thu, 15 Nov 2018 23:01:42 +0100 Subject: [PATCH 2/6] Mitigations for CVE-2018-19296 --- src/PHPMailer.php | 29 ++++++++++++++++++++++++----- test/PHPMailerTest.php | 16 ++++++++++++++++ 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/src/PHPMailer.php b/src/PHPMailer.php index 61ed5191..b0b2abe2 100644 --- a/src/PHPMailer.php +++ b/src/PHPMailer.php @@ -1471,7 +1471,10 @@ class PHPMailer if (!empty($this->DKIM_domain) and !empty($this->DKIM_selector) and (!empty($this->DKIM_private_string) - or (!empty($this->DKIM_private) and file_exists($this->DKIM_private)) + or (!empty($this->DKIM_private) + and static::isPermittedPath($this->DKIM_private) + and file_exists($this->DKIM_private) + ) ) ) { $header_dkim = $this->DKIM_Add( @@ -1648,6 +1651,20 @@ class PHPMailer return true; } + /** + * Check whether a file path is of a permitted type. + * Used to reject URLs and phar files from functions that access local file paths, + * such as addAttachment. + * + * @param string $path A relative or absolute path to a file. + * + * @return bool + */ + protected static function isPermittedPath($path) + { + return !preg_match('#^[a-z]+://#i', $path); + } + /** * Send mail using the PHP mail() function. * @@ -2038,7 +2055,7 @@ class PHPMailer // There is no English translation file if ('en' != $langcode) { // Make sure language file path is readable - if (!file_exists($lang_file)) { + if (!static::isPermittedPath($lang_file) || !file_exists($lang_file)) { $foundlang = false; } else { // Overwrite language-specific strings. @@ -2776,6 +2793,8 @@ class PHPMailer * Add an attachment from a path on the filesystem. * Never use a user-supplied path to a file! * Returns false if the file could not be found or read. + * Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client. + * If you need to do that, fetch the resource yourself and pass it in via a local file or string. * * @param string $path Path to the attachment * @param string $name Overrides the attachment name @@ -2790,7 +2809,7 @@ class PHPMailer public function addAttachment($path, $name = '', $encoding = self::ENCODING_BASE64, $type = '', $disposition = 'attachment') { try { - if (!@is_file($path)) { + if (!static::isPermittedPath($path) || !@is_file($path)) { throw new Exception($this->lang('file_access') . $path, self::STOP_CONTINUE); } @@ -2972,7 +2991,7 @@ class PHPMailer protected function encodeFile($path, $encoding = self::ENCODING_BASE64) { try { - if (!file_exists($path)) { + if (!static::isPermittedPath($path) || !file_exists($path)) { throw new Exception($this->lang('file_open') . $path, self::STOP_CONTINUE); } $file_buffer = file_get_contents($path); @@ -3313,7 +3332,7 @@ class PHPMailer */ public function addEmbeddedImage($path, $cid, $name = '', $encoding = self::ENCODING_BASE64, $type = '', $disposition = 'inline') { - if (!@is_file($path)) { + if (!static::isPermittedPath($path) || !@is_file($path)) { $this->setError($this->lang('file_access') . $path); return false; diff --git a/test/PHPMailerTest.php b/test/PHPMailerTest.php index 5d2e9926..84954454 100644 --- a/test/PHPMailerTest.php +++ b/test/PHPMailerTest.php @@ -798,6 +798,22 @@ final class PHPMailerTest extends TestCase $this->assertTrue($this->Mail->send(), $this->Mail->ErrorInfo); } + /** + * Rejection of non-local file attachments test. + */ + public function testRejectNonLocalFileAttachment() + { + $this->assertFalse( + $this->Mail->addAttachment('https://github.com/PHPMailer/PHPMailer/raw/master/README.md'), + 'addAttachment should reject remote URLs' + ); + + $this->assertFalse( + $this->Mail->addAttachment('phar://phar.php'), + 'addAttachment should reject phar resources' + ); + } + /** * Simple plain string attachment test. */ From 77c26cdf188180db91cb28f93dd9e08eda3c5b24 Mon Sep 17 00:00:00 2001 From: Marcus Bointon Date: Thu, 15 Nov 2018 23:02:30 +0100 Subject: [PATCH 3/6] Use debug level constants --- test/PHPMailerTest.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/PHPMailerTest.php b/test/PHPMailerTest.php index 84954454..a7b35b6c 100644 --- a/test/PHPMailerTest.php +++ b/test/PHPMailerTest.php @@ -14,6 +14,7 @@ namespace PHPMailer\Test; use PHPMailer\PHPMailer\OAuth; use PHPMailer\PHPMailer\PHPMailer; +use PHPMailer\PHPMailer\SMTP; use PHPMailer\PHPMailer\POP3; use PHPUnit\Framework\TestCase; @@ -74,7 +75,7 @@ final class PHPMailerTest extends TestCase include $this->INCLUDE_DIR . '/test/testbootstrap.php'; //Overrides go in here } $this->Mail = new PHPMailer(); - $this->Mail->SMTPDebug = 3; //Full debug output + $this->Mail->SMTPDebug = SMTP::DEBUG_CONNECTION; //Full debug output $this->Mail->Debugoutput = ['PHPMailer\Test\DebugLogTestListener', 'debugLog']; $this->Mail->Priority = 3; $this->Mail->Encoding = '8bit'; @@ -2522,7 +2523,7 @@ EOT; */ public function testSmtpConnect() { - $this->Mail->SMTPDebug = 4; //Show connection-level errors + $this->Mail->SMTPDebug = SMTP::DEBUG_LOWLEVEL; //Show connection-level errors $this->assertTrue($this->Mail->smtpConnect(), 'SMTP single connect failed'); $this->Mail->smtpClose(); From 76e08791ba4d254b1ff026c2d88ecbb36c30b57e Mon Sep 17 00:00:00 2001 From: Marcus Bointon Date: Thu, 15 Nov 2018 23:03:38 +0100 Subject: [PATCH 4/6] 6.0.6 --- README.md | 2 ++ SECURITY.md | 4 +++- VERSION | 2 +- changelog.md | 11 ++++++++++- src/PHPMailer.php | 2 +- src/POP3.php | 2 +- src/SMTP.php | 2 +- 7 files changed, 19 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index e5cd9891..85f758d1 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,8 @@ If you don't speak git or just want a tarball, click the 'zip' button on the rig ## Legacy versions PHPMailer 5.2 (which is compatible with PHP 5.0 - 7.0) is no longer being supported for feature updates, and will only be receiving security updates from now on. You will find the latest version of 5.2 in the [5.2-stable branch](https://github.com/PHPMailer/PHPMailer/tree/5.2-stable), and future versions of 5.2 will be tagged with 5.2.x version numbers, so existing Composer configs should remain working. If you're using PHP 5.5 or later, we recommend you make the necessary changes to switch to the 6.0 release. +The 5.2 branch will not receive security updates after December 31st 2018. + ## Upgrading from 5.2 The biggest changes are that source files are now in the `src/` folder, and PHPMailer now declares the namespace `PHPMailer\PHPMailer`. This has several important effects – [read the upgrade guide](https://github.com/PHPMailer/PHPMailer/tree/master/UPGRADING.md) for more details. diff --git a/SECURITY.md b/SECURITY.md index 57a1f136..5e917cd0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,9 @@ Please disclose any vulnerabilities found responsibly - report any security problems found to the maintainers privately. -PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project. +PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing `phar://` paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded as [CVE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296). See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Sehun Oh of cyberone.kr. + +PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through composer, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project. PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file disclosure vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5223). If content passed into `msgHTML()` is sourced from unfiltered user input, relative paths can map to absolute local file paths and added as attachments. Also note that `addAttachment` (just like `file_get_contents`, `passthru`, `unlink`, etc) should not be passed user-sourced params either! Reported by Yongxiang Li of Asiasecurity. diff --git a/VERSION b/VERSION index 81f0c273..e8738082 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.0.5 \ No newline at end of file +6.0.6 \ No newline at end of file diff --git a/changelog.md b/changelog.md index f7b42273..37e7953d 100644 --- a/changelog.md +++ b/changelog.md @@ -1,7 +1,11 @@ # PHPMailer Change Log +## Version 6.0.6 (November 14th 2018) +* **SECURITY** Fix potential object injection vulnerability. Reported by Sehun Oh of cyberone.kr. * Added Tagalog translation, thanks to @StoneArtz * Added Malagache translation, thanks to @Hackinet +* Updated Serbian translation, fixed incorrect language code, thanks to @mmilanovic4 +* Updated Arabic translations (@MicroDroid) * Updated Hungarian translations * Updated Dutch translations * Updated Slovenian translation (@filips123) @@ -12,7 +16,12 @@ * Add constants for common values, such as `text/html` and `quoted-printable`, and use them * Added support for copied headers in DKIM, helping with debugging, and an option to add extra headers to the DKIM signature. See DKIM_sign example for how to use them. Thanks to @gwi-mmuths. * Add Campaign Monitor transaction ID pattern matcher -* Remove deprecated constant and ini values causing warnings in PHP 7.3. +* Remove deprecated constant and ini values causing warnings in PHP 7.3, added PHP 7.3 build to Travis config. +* Expanded test coverage + +## Version 5.2.27 (November 14th 2018) +* **SECURITY** Fix potential object injection vulnerability. Reported by Sehun Oh of cyberone.kr. +* Note that the 5.2 branch is now deprecated and will not receive security updates after 31st December 2018. ## Version 6.0.5 (March 27th 2018) * Re-roll of 6.0.4 to fix missed version file entry. No code changes. diff --git a/src/PHPMailer.php b/src/PHPMailer.php index b0b2abe2..9acb0d70 100644 --- a/src/PHPMailer.php +++ b/src/PHPMailer.php @@ -701,7 +701,7 @@ class PHPMailer * * @var string */ - const VERSION = '6.0.5'; + const VERSION = '6.0.6'; /** * Error severity: message only, continue processing. diff --git a/src/POP3.php b/src/POP3.php index 9b51c8ac..9dab992e 100644 --- a/src/POP3.php +++ b/src/POP3.php @@ -45,7 +45,7 @@ class POP3 * * @var string */ - const VERSION = '6.0.5'; + const VERSION = '6.0.6'; /** * Default POP3 port number. diff --git a/src/SMTP.php b/src/SMTP.php index 6cef06ef..9651e52e 100644 --- a/src/SMTP.php +++ b/src/SMTP.php @@ -34,7 +34,7 @@ class SMTP * * @var string */ - const VERSION = '6.0.5'; + const VERSION = '6.0.6'; /** * SMTP line break constant. From dec25e8b6ea1d4b7e130aa4e15c888faf3ef0db6 Mon Sep 17 00:00:00 2001 From: Marcus Bointon Date: Fri, 16 Nov 2018 01:35:56 +0100 Subject: [PATCH 5/6] Standards --- src/PHPMailer.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/PHPMailer.php b/src/PHPMailer.php index 9acb0d70..a3be338b 100644 --- a/src/PHPMailer.php +++ b/src/PHPMailer.php @@ -1656,7 +1656,7 @@ class PHPMailer * Used to reject URLs and phar files from functions that access local file paths, * such as addAttachment. * - * @param string $path A relative or absolute path to a file. + * @param string $path A relative or absolute path to a file * * @return bool */ From 8190d73eb5def11a43cfb020b7f36db65330698c Mon Sep 17 00:00:00 2001 From: Marcus Bointon Date: Fri, 16 Nov 2018 01:41:32 +0100 Subject: [PATCH 6/6] Standards --- test/PHPMailerTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/PHPMailerTest.php b/test/PHPMailerTest.php index a7b35b6c..d3d1e79f 100644 --- a/test/PHPMailerTest.php +++ b/test/PHPMailerTest.php @@ -14,8 +14,8 @@ namespace PHPMailer\Test; use PHPMailer\PHPMailer\OAuth; use PHPMailer\PHPMailer\PHPMailer; -use PHPMailer\PHPMailer\SMTP; use PHPMailer\PHPMailer\POP3; +use PHPMailer\PHPMailer\SMTP; use PHPUnit\Framework\TestCase; /**