From de900990804e4aef0f0cbeaf796fac8a59fcb5f1 Mon Sep 17 00:00:00 2001
From: Marcus Bointon <marcus@synchromedia.co.uk>
Date: Tue, 15 Jun 2021 14:54:40 +0200
Subject: [PATCH] Add tests for injected validators

---
 test/PHPMailerTest.php | 13 ++++++++++++-
 test/validators.php    | 12 ++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 test/validators.php

diff --git a/test/PHPMailerTest.php b/test/PHPMailerTest.php
index cd3adb82..b6c13f06 100644
--- a/test/PHPMailerTest.php
+++ b/test/PHPMailerTest.php
@@ -20,6 +20,8 @@ use PHPMailer\PHPMailer\POP3;
 use PHPMailer\PHPMailer\SMTP;
 use Yoast\PHPUnitPolyfills\TestCases\TestCase;
 
+require_once __DIR__ . '/validators.php';
+
 /**
  * PHPMailer - PHP email transport unit test class.
  */
@@ -669,6 +671,7 @@ final class PHPMailerTest extends TestCase
             $err .= implode("\n", $badpasses);
         }
         self::assertEmpty($err, $err);
+
         //For coverage
         self::assertTrue(PHPMailer::validateAddress('test@example.com', 'auto'));
         self::assertFalse(PHPMailer::validateAddress('test@example.com.', 'auto'));
@@ -722,13 +725,21 @@ final class PHPMailerTest extends TestCase
             $this->Mail->addAddress('bananas@example.com'),
             'Custom default validator false positive'
         );
-        //Set default validator to PHP built-in
+        //Set validator back to default
         PHPMailer::$validator = 'php';
         self::assertFalse(
         //This is a valid address that FILTER_VALIDATE_EMAIL thinks is invalid
             $this->Mail->addAddress('first.last@example.123'),
             'PHP validator not behaving as expected'
         );
+
+        //Test denying override of built-in validator names
+        //See SECURITY.md and CVE-2021-3603
+        //If a `php` function defined in validators.php successfully overrides this built-in validator name,
+        //this would return false – and we don't want to allow that
+        self::assertTrue(PHPMailer::validateAddress('test@example.com', 'php'));
+        //Check a non-matching validator function, which should be permitted, and return false in this case
+        self::assertFalse(PHPMailer::validateAddress('test@example.com', 'phpx'));
     }
 
     /**
diff --git a/test/validators.php b/test/validators.php
new file mode 100644
index 00000000..ee28d54e
--- /dev/null
+++ b/test/validators.php
@@ -0,0 +1,12 @@
+<?php
+
+//These are global functions without a namespace used for testing validator injection
+function php()
+{
+    return false;
+}
+
+function phpx()
+{
+    return false;
+}