diff --git a/SECURITY.md b/SECURITY.md index 8cf18606..cedcd3b0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,7 +2,7 @@ Please disclose any security issues or vulnerabilities found through [Tidelift's coordinated disclosure system](https://tidelift.com/security) or to the maintainers privately. -PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the `$patternselect` parameter to `validateAddress()` is set to `'php'` (the default, defined by `static::$validator`), and the global namespace contains a function called `php`, it will be called in preference to the built-in validator of the same name. This is patched in PHPMailer 6.5.0 by denying the use of callables with the same names as built-in validators. Reported by [Vikrant Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/). Recorded as [CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603). +PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project's scope by other means). If the `$patternselect` parameter to `validateAddress()` is set to `'php'` (the default, defined by `static::$validator`), and the global namespace contains a function called `php`, it will be called in preference to the built-in validator of the same name. This is patched in PHPMailer 6.5.0 by denying the use of simple strings as validator function names, which is a very minor BC break. Reported by [Vikrant Singh Chauhan](mailto:vi@hackberry.xyz) via [huntr.dev](https://www.huntr.dev/). Recorded as [CVE-2021-3603](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3603). PHPMailer versions between 6.1.8 and 6.4.0 contain a regression of the earlier CVE-2018-19296 object injection vulnerability as a result of [a fix for Windows UNC paths in 6.1.8](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9). Recorded as [CVE-2020-36326](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36326). Reported by Fariskhi Vidyan via Tidelift. 6.4.1 fixes this issue, and also enforces stricter checks for URL schemes in local path contexts. diff --git a/src/PHPMailer.php b/src/PHPMailer.php index 83733641..032ef1cf 100644 --- a/src/PHPMailer.php +++ b/src/PHPMailer.php @@ -1337,12 +1337,8 @@ class PHPMailer if (null === $patternselect) { $patternselect = static::$validator; } - //Don't allow overriding built-in validators with callables - if ( - is_callable($patternselect) && - //It's callable and not a string, or it's a string callable that's not a built-in pattern - (!is_string($patternselect) || !in_array(strtolower($patternselect), ['php', 'pcre', 'pcre8', 'html5'])) - ) { + //Don't allow strings as callables, see SECURITY.md and CVE-2021-3603 + if (is_callable($patternselect) && !is_string($patternselect)) { return call_user_func($patternselect, $address); } //Reject line breaks in addresses; it's valid RFC5322, but not RFC5321 diff --git a/test/PHPMailerTest.php b/test/PHPMailerTest.php index b6c13f06..e6aa4c77 100644 --- a/test/PHPMailerTest.php +++ b/test/PHPMailerTest.php @@ -733,13 +733,14 @@ final class PHPMailerTest extends TestCase 'PHP validator not behaving as expected' ); - //Test denying override of built-in validator names + //Test denying function name callables as validators //See SECURITY.md and CVE-2021-3603 //If a `php` function defined in validators.php successfully overrides this built-in validator name, //this would return false – and we don't want to allow that self::assertTrue(PHPMailer::validateAddress('test@example.com', 'php')); - //Check a non-matching validator function, which should be permitted, and return false in this case - self::assertFalse(PHPMailer::validateAddress('test@example.com', 'phpx')); + //Check that a non-existent validator name falls back to a built-in validator + //and does not call a global function with that name + self::assertTrue(PHPMailer::validateAddress('test@example.com', 'phpx')); } /**