From fd7ec67a7c96593525035fc491406f168bf142c3 Mon Sep 17 00:00:00 2001
From: Marcus Bointon <marcus@synchromedia.co.uk>
Date: Thu, 29 Apr 2021 10:53:19 +0200
Subject: [PATCH] Add more tests for bad paths

---
 test/PHPMailerTest.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/test/PHPMailerTest.php b/test/PHPMailerTest.php
index f5cd0e90..cd3adb82 100644
--- a/test/PHPMailerTest.php
+++ b/test/PHPMailerTest.php
@@ -1238,6 +1238,18 @@ EOT;
             return;
         }
 
+        //Make sure phar paths are rejected
+        self::assertFalse($this->Mail->addAttachment('phar://pharfile.php', 'pharfile.php'));
+        //Make sure any path that looks URLish is rejected
+        self::assertFalse($this->Mail->addAttachment('http://example.com/test.php', 'test.php'));
+        self::assertFalse(
+            $this->Mail->addAttachment(
+                'ssh2.sftp://user:pass@attacker-controlled.example.com:22/tmp/payload.phar',
+                'test.php'
+            )
+        );
+        self::assertFalse($this->Mail->addAttachment('x-1.cd+-://example.com/test.php', 'test.php'));
+
         //Make sure that trying to attach a nonexistent file fails
         $filename = __FILE__ . md5(microtime()) . 'nonexistent_file.txt';
         self::assertFalse($this->Mail->addAttachment($filename));