Changeset 101380 in spip-zone for _plugins_/facteur


Ignore:
Timestamp:
Dec 28, 2016, 4:40:52 PM (2 years ago)
Author:
brunobergot@…
Message:

version 3.4.7 : sécurité, maj de PHPMailer version 5.2.21

Location:
_plugins_/facteur/trunk
Files:
5 edited

Legend:

Unmodified
Added
Removed
  • _plugins_/facteur/trunk/paquet.xml

    r101345 r101380  
    22        prefix="facteur"
    33        categorie="communication"
    4         version="3.4.6"
     4        version="3.4.7"
    55        etat="stable"
    66        compatibilite="[3.0.0;3.1.*]"
  • _plugins_/facteur/trunk/phpmailer-php5/VERSION

    r101345 r101380  
    1 5.2.19
     15.2.21
  • _plugins_/facteur/trunk/phpmailer-php5/class.phpmailer.php

    r101345 r101380  
    3232     * @var string
    3333     */
    34     public $Version = '5.2.19';
     34    public $Version = '5.2.21';
    3535
    3636    /**
     
    13651365    protected function sendmailSend($header, $body)
    13661366    {
    1367         if (!empty($this->Sender)) {
     1367        // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
     1368        if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
    13681369            if ($this->Mailer == 'qmail') {
    1369                 $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
     1370                $sendmailFmt = '%s -f%s';
    13701371            } else {
    1371                 $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
     1372                $sendmailFmt = '%s -oi -f%s -t';
    13721373            }
    13731374        } else {
    13741375            if ($this->Mailer == 'qmail') {
    1375                 $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
     1376                $sendmailFmt = '%s';
    13761377            } else {
    1377                 $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));
    1378             }
    1379         }
     1378                $sendmailFmt = '%s -oi -t';
     1379            }
     1380        }
     1381
     1382        // TODO: If possible, this should be changed to escapeshellarg.  Needs thorough testing.
     1383        $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
     1384
    13801385        if ($this->SingleTo) {
    13811386            foreach ($this->SingleToArray as $toAddr) {
     
    14241429
    14251430    /**
     1431     * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
     1432     *
     1433     * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
     1434     * @param string $string The string to be validated
     1435     * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
     1436     * @access protected
     1437     * @return boolean
     1438     */
     1439    protected static function isShellSafe($string)
     1440    {
     1441        // Future-proof
     1442        if (escapeshellcmd($string) !== $string
     1443            or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))
     1444        ) {
     1445            return false;
     1446        }
     1447
     1448        $length = strlen($string);
     1449
     1450        for ($i = 0; $i < $length; $i++) {
     1451            $c = $string[$i];
     1452
     1453            // All other characters have a special meaning in at least one common shell, including = and +.
     1454            // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
     1455            // Note that this does permit non-Latin alphanumeric characters based on the current locale.
     1456            if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
     1457                return false;
     1458            }
     1459        }
     1460
     1461        return true;
     1462    }
     1463
     1464    /**
    14261465     * Send mail using the PHP mail() function.
    14271466     * @param string $header The message headers
     
    14431482        //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
    14441483        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
    1445             $params = sprintf('-f%s', escapeshellarg($this->Sender));
     1484            // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
     1485            if (self::isShellSafe($this->Sender)) {
     1486                $params = sprintf('-f%s', $this->Sender);
     1487            }
    14461488        }
    14471489        if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
  • _plugins_/facteur/trunk/phpmailer-php5/class.pop3.php

    r101345 r101380  
    3535     * @access public
    3636     */
    37     public $Version = '5.2.19';
     37    public $Version = '5.2.21';
    3838
    3939    /**
  • _plugins_/facteur/trunk/phpmailer-php5/class.smtp.php

    r101345 r101380  
    3131     * @var string
    3232     */
    33     const VERSION = '5.2.19';
     33    const VERSION = '5.2.21';
    3434
    3535    /**
     
    8282     * @see SMTP::VERSION
    8383     */
    84     public $Version = '5.2.19';
     84    public $Version = '5.2.21';
    8585
    8686    /**
Note: See TracChangeset for help on using the changeset viewer.