From 065630b975047a331e1ba3c82a4b79458974a2d9 Mon Sep 17 00:00:00 2001 From: johnnyq Date: Thu, 5 Feb 2026 11:46:28 -0500 Subject: [PATCH] Bump PHPMailer from 7.0.1 to 7.0.2 --- plugins/PHPMailer/VERSION | 2 +- plugins/PHPMailer/src/PHPMailer.php | 97 ++++++++++++++++++++++------- plugins/PHPMailer/src/POP3.php | 2 +- plugins/PHPMailer/src/SMTP.php | 28 +++++++-- 4 files changed, 99 insertions(+), 30 deletions(-) diff --git a/plugins/PHPMailer/VERSION b/plugins/PHPMailer/VERSION index 9fe9ff9d..a8907c02 100644 --- a/plugins/PHPMailer/VERSION +++ b/plugins/PHPMailer/VERSION @@ -1 +1 @@ -7.0.1 +7.0.2 diff --git a/plugins/PHPMailer/src/PHPMailer.php b/plugins/PHPMailer/src/PHPMailer.php index eb48e858..2bb3578c 100644 --- a/plugins/PHPMailer/src/PHPMailer.php +++ b/plugins/PHPMailer/src/PHPMailer.php @@ -768,7 +768,7 @@ class PHPMailer * * @var string */ - const VERSION = '7.0.1'; + const VERSION = '7.0.2'; /** * Error severity: message only, continue processing. @@ -988,6 +988,54 @@ class PHPMailer $this->Mailer = 'mail'; } + /** + * Extract sendmail path and parse to deal with known parameters. + * + * @param string $sendmailPath The sendmail path as set in php.ini + * + * @return string The sendmail path without the known parameters + */ + private function parseSendmailPath($sendmailPath) + { + $sendmailPath = trim((string)$sendmailPath); + if ($sendmailPath === '') { + return $sendmailPath; + } + + $parts = preg_split('/\s+/', $sendmailPath); + if (empty($parts)) { + return $sendmailPath; + } + + $command = array_shift($parts); + $remainder = []; + + // Parse only -t, -i, -oi and -f parameters. + for ($i = 0; $i < count($parts); ++$i) { + $part = $parts[$i]; + if (preg_match('/^-(i|oi|t)$/', $part, $matches)) { + continue; + } + if (preg_match('/^-f(.*)$/', $part, $matches)) { + $address = $matches[1]; + if ($address === '' && isset($parts[$i + 1]) && strpos($parts[$i + 1], '-') !== 0) { + $address = $parts[++$i]; + } + $this->Sender = $address; + continue; + } + + $remainder[] = $part; + } + + // The params that are not parsed are added back to the command. + if (!empty($remainder)) { + $command .= ' ' . implode(' ', $remainder); + } + + return $command; + } + /** * Send messages using $Sendmail. */ @@ -996,10 +1044,9 @@ class PHPMailer $ini_sendmail_path = ini_get('sendmail_path'); if (false === stripos($ini_sendmail_path, 'sendmail')) { - $this->Sendmail = '/usr/sbin/sendmail'; - } else { - $this->Sendmail = $ini_sendmail_path; + $ini_sendmail_path = '/usr/sbin/sendmail'; } + $this->Sendmail = $this->parseSendmailPath($ini_sendmail_path); $this->Mailer = 'sendmail'; } @@ -1011,10 +1058,9 @@ class PHPMailer $ini_sendmail_path = ini_get('sendmail_path'); if (false === stripos($ini_sendmail_path, 'qmail')) { - $this->Sendmail = '/var/qmail/bin/qmail-inject'; - } else { - $this->Sendmail = $ini_sendmail_path; + $ini_sendmail_path = '/var/qmail/bin/qmail-inject'; } + $this->Sendmail = $this->parseSendmailPath($ini_sendmail_path); $this->Mailer = 'qmail'; } @@ -1860,25 +1906,27 @@ class PHPMailer //PHP config has a sender address we can use $this->Sender = ini_get('sendmail_from'); } - //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. + + $sendmailArgs = []; + + // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. + // Also don't add the -f automatically unless it has been set either via Sender + // or sendmail_path. Otherwise it can introduce new problems. + // @see http://github.com/PHPMailer/PHPMailer/issues/2298 if (!empty($this->Sender) && static::validateAddress($this->Sender) && self::isShellSafe($this->Sender)) { - if ($this->Mailer === 'qmail') { - $sendmailFmt = '%s -f%s'; - } else { - $sendmailFmt = '%s -oi -f%s -t'; - } - } elseif ($this->Mailer === 'qmail') { - $sendmailFmt = '%s'; - } else { - //Allow sendmail to choose a default envelope sender. It may - //seem preferable to force it to use the From header as with - //SMTP, but that introduces new problems (see - //), and - //it has historically worked this way. - $sendmailFmt = '%s -oi -t'; + $sendmailArgs[] = '-f' . $this->Sender; } - $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender); + // Qmail doesn't accept all the sendmail parameters + // @see https://github.com/PHPMailer/PHPMailer/issues/3189 + if ($this->Mailer !== 'qmail') { + $sendmailArgs[] = '-i'; + $sendmailArgs[] = '-t'; + } + + $resultArgs = (empty($sendmailArgs) ? '' : ' ' . implode(' ', $sendmailArgs)); + + $sendmail = trim(escapeshellcmd($this->Sendmail) . $resultArgs); $this->edebug('Sendmail path: ' . $this->Sendmail); $this->edebug('Sendmail command: ' . $sendmail); $this->edebug('Envelope sender: ' . $this->Sender); @@ -2062,7 +2110,8 @@ class PHPMailer $this->Sender = ini_get('sendmail_from'); } if (!empty($this->Sender) && static::validateAddress($this->Sender)) { - if (self::isShellSafe($this->Sender)) { + $phpmailer_path = ini_get('sendmail_path'); + if (self::isShellSafe($this->Sender) && strpos($phpmailer_path, ' -f') === false) { $params = sprintf('-f%s', $this->Sender); } $old_from = ini_get('sendmail_from'); diff --git a/plugins/PHPMailer/src/POP3.php b/plugins/PHPMailer/src/POP3.php index bf43acaf..186fe9fe 100644 --- a/plugins/PHPMailer/src/POP3.php +++ b/plugins/PHPMailer/src/POP3.php @@ -47,7 +47,7 @@ class POP3 * @var string * @deprecated This constant will be removed in PHPMailer 8.0. Use `PHPMailer::VERSION` instead. */ - const VERSION = '7.0.1'; + const VERSION = '7.0.2'; /** * Default POP3 port number. diff --git a/plugins/PHPMailer/src/SMTP.php b/plugins/PHPMailer/src/SMTP.php index b657798c..559b52c4 100644 --- a/plugins/PHPMailer/src/SMTP.php +++ b/plugins/PHPMailer/src/SMTP.php @@ -36,7 +36,7 @@ class SMTP * @var string * @deprecated This constant will be removed in PHPMailer 8.0. Use `PHPMailer::VERSION` instead. */ - const VERSION = '7.0.1'; + const VERSION = '7.0.2'; /** * SMTP line break constant. @@ -770,6 +770,25 @@ class SMTP } } + private function iterateLines($s) + { + $start = 0; + $length = strlen($s); + + for ($i = 0; $i < $length; $i++) { + $c = $s[$i]; + if ($c === "\n" || $c === "\r") { + yield substr($s, $start, $i - $start); + if ($c === "\r" && $i + 1 < $length && $s[$i + 1] === "\n") { + $i++; + } + $start = $i + 1; + } + } + + yield substr($s, $start); + } + /** * Send an SMTP DATA command. * Issues a data command and sends the msg_data to the server, @@ -798,15 +817,16 @@ class SMTP * NOTE: this does not count towards line-length limit. */ - //Normalize line breaks before exploding - $lines = explode("\n", str_replace(["\r\n", "\r"], "\n", $msg_data)); + //Iterate over lines with normalized line breaks + $lines = $this->iterateLines($msg_data); /* To distinguish between a complete RFC822 message and a plain message body, we check if the first field * of the first line (':' separated) does not contain a space then it _should_ be a header, and we will * process all lines before a blank line as headers. */ - $field = substr($lines[0], 0, strpos($lines[0], ':')); + $first_line = $lines->current(); + $field = substr($first_line, 0, strpos($first_line, ':')); $in_headers = false; if (!empty($field) && strpos($field, ' ') === false) { $in_headers = true;