diff --git a/plugins/PHPMailer/README.md b/plugins/PHPMailer/README.md index f4366686..bf0421f2 100644 --- a/plugins/PHPMailer/README.md +++ b/plugins/PHPMailer/README.md @@ -6,9 +6,9 @@ [![Test status](https://github.com/PHPMailer/PHPMailer/workflows/Tests/badge.svg)](https://github.com/PHPMailer/PHPMailer/actions) [![codecov.io](https://codecov.io/gh/PHPMailer/PHPMailer/branch/master/graph/badge.svg?token=iORZpwmYmM)](https://codecov.io/gh/PHPMailer/PHPMailer) -[![Latest Stable Version](https://poser.pugx.org/phpmailer/phpmailer/v/stable.svg)](https://packagist.org/packages/phpmailer/phpmailer) -[![Total Downloads](https://poser.pugx.org/phpmailer/phpmailer/downloads)](https://packagist.org/packages/phpmailer/phpmailer) -[![License](https://poser.pugx.org/phpmailer/phpmailer/license.svg)](https://packagist.org/packages/phpmailer/phpmailer) +[![Latest Stable Version](https://img.shields.io/packagist/v/phpmailer/phpmailer?label=stable)](https://packagist.org/packages/phpmailer/phpmailer) +[![Total Downloads](https://img.shields.io/packagist/dt/phpmailer/phpmailer)](https://packagist.org/packages/phpmailer/phpmailer) +[![License](https://img.shields.io/github/license/PHPMailer/PHPMailer)](https://packagist.org/packages/phpmailer/phpmailer) [![API Docs](https://github.com/phpmailer/phpmailer/workflows/Docs/badge.svg)](https://phpmailer.github.io/PHPMailer/) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/PHPMailer/PHPMailer/badge)](https://api.securityscorecards.dev/projects/github.com/PHPMailer/PHPMailer) @@ -78,7 +78,7 @@ require 'path/to/PHPMailer/src/SMTP.php'; If you're not using the `SMTP` class explicitly (you're probably not), you don't need a `use` line for it. Even if you're not using exceptions, you do still need to load the `Exception` class as it is used internally. ## Legacy versions -PHPMailer 5.2 (which is compatible with PHP 5.0 — 7.0) is no longer supported, even for security updates. You will find the latest version of 5.2 in the [5.2-stable branch](https://github.com/PHPMailer/PHPMailer/tree/5.2-stable). If you're using PHP 5.5 or later (which you should be), switch to the 6.x releases. +PHPMailer 5.2 (which is compatible with PHP 5.0 — 7.0) is no longer supported, even for security updates. You will find the latest version of 5.2 in the [5.2-stable branch](https://github.com/PHPMailer/PHPMailer/tree/5.2-stable). If you're using PHP 5.5 or later (which you should be), upgrade to a later release. ### Upgrading from 5.2 The biggest changes are that source files are now in the `src/` folder, and PHPMailer now declares the namespace `PHPMailer\PHPMailer`. This has several important effects – [read the upgrade guide](https://github.com/PHPMailer/PHPMailer/tree/master/UPGRADING.md) for more details. diff --git a/plugins/PHPMailer/VERSION b/plugins/PHPMailer/VERSION index a8907c02..21c8c7b4 100644 --- a/plugins/PHPMailer/VERSION +++ b/plugins/PHPMailer/VERSION @@ -1 +1 @@ -7.0.2 +7.1.1 diff --git a/plugins/PHPMailer/language/phpmailer.lang-nb.php b/plugins/PHPMailer/language/phpmailer.lang-nb.php index df8ff272..621d2e74 100644 --- a/plugins/PHPMailer/language/phpmailer.lang-nb.php +++ b/plugins/PHPMailer/language/phpmailer.lang-nb.php @@ -24,7 +24,7 @@ $PHPMAILER_LANG['invalid_host'] = 'Ugyldig vert: '; $PHPMAILER_LANG['mailer_not_supported'] = ' sender er ikke støttet.'; $PHPMAILER_LANG['provide_address'] = 'Du må oppgi minst én mottaker-e-postadresse.'; - $PHPMAILER_LANG['recipients_failed'] = 'SMTP Feil: Følgende mottakeradresse feilet: '; + $PHPMAILER_LANG['recipients_failed'] = 'SMTP-feil: Følgende mottakeradresser feilet: '; $PHPMAILER_LANG['signing'] = 'Signeringsfeil: '; $PHPMAILER_LANG['smtp_code'] = 'SMTP-kode: '; $PHPMAILER_LANG['smtp_code_ex'] = 'Ytterligere SMTP-info: '; diff --git a/plugins/PHPMailer/language/phpmailer.lang-tr.php b/plugins/PHPMailer/language/phpmailer.lang-tr.php index 3c45bc1c..ab555016 100644 --- a/plugins/PHPMailer/language/phpmailer.lang-tr.php +++ b/plugins/PHPMailer/language/phpmailer.lang-tr.php @@ -8,6 +8,7 @@ * @author Mehmet Benlioğlu * @author @yasinaydin * @author Ogün Karakuş + * @author Mustafa Deniz Buksur */ $PHPMAILER_LANG['authenticate'] = 'SMTP Hatası: Oturum açılamadı.'; @@ -36,3 +37,7 @@ $PHPMAILER_LANG['smtp_connect_failed'] = 'SMTP connect() fonksiyonu başarısı $PHPMAILER_LANG['smtp_detail'] = 'SMTP SMTP Detayı: '; $PHPMAILER_LANG['smtp_error'] = 'SMTP sunucu hatası: '; $PHPMAILER_LANG['variable_set'] = 'Değişken ayarlanamadı ya da sıfırlanamadı: '; +$PHPMAILER_LANG['no_smtputf8'] = 'Unicode adreslere gönderim için gereken SMTPUTF8 desteği sunucu tarafından desteklenmiyor.'; +$PHPMAILER_LANG['imap_recommended'] = 'Basitleştirilmiş adres ayrıştırıcısını kullanmanız önerilmez. ' . + 'Tam RFC822 ayrıştırma için PHP IMAP eklentisini yükleyin.'; +$PHPMAILER_LANG['deprecated_argument'] = 'Kullanımdan kaldırılmış argüman: '; diff --git a/plugins/PHPMailer/src/PHPMailer.php b/plugins/PHPMailer/src/PHPMailer.php index 2bb3578c..4900cbc4 100644 --- a/plugins/PHPMailer/src/PHPMailer.php +++ b/plugins/PHPMailer/src/PHPMailer.php @@ -59,6 +59,7 @@ class PHPMailer const ICAL_METHOD_REFRESH = 'REFRESH'; const ICAL_METHOD_COUNTER = 'COUNTER'; const ICAL_METHOD_DECLINECOUNTER = 'DECLINECOUNTER'; + const RFC822_DATE_FORMAT = 'D, j M Y H:i:s O'; /** * Email priority. @@ -77,7 +78,7 @@ class PHPMailer public $CharSet = self::CHARSET_ISO88591; /** - * The MIME Content-type of the message. + * The MIME Content-Type of the message. * * @var string */ @@ -159,7 +160,7 @@ class PHPMailer public $Ical = ''; /** - * Value-array of "method" in Contenttype header "text/calendar" + * Value-array of "method" in Content-Type header "text/calendar" * * @var string[] */ @@ -768,7 +769,7 @@ class PHPMailer * * @var string */ - const VERSION = '7.0.2'; + const VERSION = '7.1.1'; /** * Error severity: message only, continue processing. @@ -1283,26 +1284,27 @@ class PHPMailer /** * Parse and validate a string containing one or more RFC822-style comma-separated email addresses * of the form "display name
" into an array of name/address pairs. - * Uses the imap_rfc822_parse_adrlist function if the IMAP extension is available. + * Uses the imap_rfc822_parse_adrlist function if the IMAP extension is available and + * the deprecated $useimap argument is truthy. * Note that quotes in the name part are removed. * * @see https://www.andrew.cmu.edu/user/agreen1/testing/mrbs/web/Mail/RFC822.php A more careful implementation * * @param string $addrstr The address list string - * @param null $useimap Unused. Argument has been deprecated in PHPMailer 6.11.0. - * Previously this argument determined whether to use - * the IMAP extension to parse the list and accepted a boolean value. + * @param bool|null $useimap Deprecated in PHPMailer 6.11.0. + * Truthy values request the deprecated IMAP parser + * and trigger a deprecation warning. * @param string $charset The charset to use when decoding the address list string. * * @return array */ public static function parseAddresses($addrstr, $useimap = null, $charset = self::CHARSET_ISO88591) { - if ($useimap !== null) { + if ($useimap == true) { trigger_error(self::lang('deprecated_argument') . '$useimap', E_USER_DEPRECATED); } $addresses = []; - if (function_exists('imap_rfc822_parse_adrlist')) { + if ($useimap == true && function_exists('imap_rfc822_parse_adrlist')) { //Use this built-in parser if it's available // phpcs:ignore PHPCompatibility.FunctionUse.RemovedFunctions.imap_rfc822_parse_adrlistRemoved -- wrapped in function_exists() $list = imap_rfc822_parse_adrlist($addrstr, ''); @@ -1779,6 +1781,8 @@ class PHPMailer //Trim subject consistently $this->Subject = trim($this->Subject); + + //Create body before headers in case body makes changes to headers (e.g. altering transfer encoding) $this->MIMEHeader = ''; $this->MIMEBody = $this->createBody(); @@ -1853,7 +1857,7 @@ class PHPMailer return $this->mailSend($this->MIMEHeader, $this->MIMEBody); default: $sendMethod = $this->Mailer . 'Send'; - if (method_exists($this, $sendMethod)) { + if (!empty($this->Mailer) && method_exists($this, $sendMethod)) { return $this->{$sendMethod}($this->MIMEHeader, $this->MIMEBody); } @@ -1911,7 +1915,7 @@ class PHPMailer // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. // Also don't add the -f automatically unless it has been set either via Sender - // or sendmail_path. Otherwise it can introduce new problems. + // or sendmail_path. Otherwise, it can introduce new problems. // @see http://github.com/PHPMailer/PHPMailer/issues/2298 if (!empty($this->Sender) && static::validateAddress($this->Sender) && self::isShellSafe($this->Sender)) { $sendmailArgs[] = '-f' . $this->Sender; @@ -2510,7 +2514,7 @@ class PHPMailer 'authenticate' => 'SMTP Error: Could not authenticate.', 'buggy_php' => 'Your version of PHP is affected by a bug that may result in corrupted messages.' . ' To fix it, switch to sending using SMTP, disable the mail.add_x_header option in' . - ' your php.ini, switch to MacOS or Linux, or upgrade your PHP to version 7.0.17+ or 7.1.3+.', + ' your php.ini, switch to macOS or Linux, or upgrade your PHP to version 7.0.17+ or 7.1.3+.', 'connect_host' => 'SMTP Error: Could not connect to SMTP host.', 'data_not_accepted' => 'SMTP Error: data not accepted.', 'empty_message' => 'Message body empty', @@ -2847,7 +2851,10 @@ class PHPMailer { $result = ''; - $result .= $this->headerLine('Date', '' === $this->MessageDate ? self::rfcDate() : $this->MessageDate); + $result .= $this->headerLine( + 'Date', + self::sanitiseDate($this->MessageDate) + ); //The To header is created automatically by mail(), so needs to be omitted here if ('mail' !== $this->Mailer) { @@ -2916,7 +2923,7 @@ class PHPMailer ); } elseif (is_string($this->XMailer) && trim($this->XMailer) !== '') { //Some string - $result .= $this->headerLine('X-Mailer', trim($this->XMailer)); + $result .= $this->headerLine('X-Mailer', $this->secureHeader(trim($this->XMailer))); } //Other values result in no X-Mailer header if ('' !== $this->ConfirmReadingTo) { @@ -2966,13 +2973,20 @@ class PHPMailer break; default: //Catches case 'plain': and case '': - $result .= $this->textLine('Content-Type: ' . $this->ContentType . '; charset=' . $this->CharSet); + $result .= $this->textLine( + 'Content-Type: ' . + $this->secureHeader($this->ContentType) . + '; charset=' . $this->secureHeader($this->CharSet) + ); $ismultipart = false; break; } + if (!$this->validateEncoding($this->Encoding)) { + throw new Exception(self::lang('encoding') . $this->Encoding); + } //RFC1341 part 5 says 7bit is assumed if not specified if (static::ENCODING_7BIT !== $this->Encoding) { - //RFC 2045 section 6.4 says multipart MIME parts may only use 7bit, 8bit or binary CTE + //RFC 2045 section 6.4 says multipart MIME parts may only use 7bit, 8bit, or binary CTE if ($ismultipart) { if (static::ENCODING_8BIT === $this->Encoding) { $result .= $this->headerLine('Content-Transfer-Encoding', static::ENCODING_8BIT); @@ -3047,6 +3061,9 @@ class PHPMailer $this->setWordWrap(); + if (!$this->validateEncoding($this->Encoding)) { + throw new Exception(self::lang('encoding') . $this->Encoding); + } $bodyEncoding = $this->Encoding; $bodyCharSet = $this->CharSet; //Can we do a 7-bit downgrade? @@ -4166,7 +4183,7 @@ class PHPMailer protected function validateEncoding($encoding) { return in_array( - $encoding, + strtolower($encoding), [ self::ENCODING_7BIT, self::ENCODING_QUOTED_PRINTABLE, @@ -4426,7 +4443,7 @@ class PHPMailer } /** - * Return an RFC 822 formatted date. + * Return the current date and time as an RFC 822 formatted date. * * @return string */ @@ -4436,7 +4453,51 @@ class PHPMailer //Will default to UTC if it's not set properly in php.ini date_default_timezone_set(@date_default_timezone_get()); - return date('D, j M Y H:i:s O'); + return date(self::RFC822_DATE_FORMAT); + } + + /** + * Normalise a user-supplied date into a correctly-formatted RFC 5322 date value + * string suitable for use in the Date header. + * + * Accepts: + * - A {@see \DateTime} (or \DateTimeImmutable) object + * - Any date/time string understood by PHP's DateTime constructor (RFC 5322, ISO 8601, + * Unix timestamp with leading "@", natural-language strings, etc.) + * + * Dates in the future are not permitted for email headers; if the parsed date is later + * than "now" the method falls back to the current time via {@see self::rfcDate()}. + * An empty value, a non-string/non-DateTime argument, or any value that cannot be + * parsed will likewise fall back to {@see self::rfcDate()}. + * + * @param \DateTime|\DateTimeImmutable|string $date The date to normalise + * + * @return string An RFC 5322-formatted date string + */ + private static function sanitiseDate($date) + { + try { + //Ensure the default timezone is set properly + date_default_timezone_set(@date_default_timezone_get()); + + if ($date instanceof \DateTimeInterface) { + $dt = $date; + } elseif (is_string($date) && $date !== '') { + $dt = new \DateTime($date); + } else { + //Empty string, null, or any unsupported type + return self::rfcDate(); + } + + //Reject future dates — they are invalid for outgoing message headers + if ($dt->getTimestamp() > time()) { + return self::rfcDate(); + } + + return $dt->format(self::RFC822_DATE_FORMAT); + } catch (\Exception $e) { + return self::rfcDate(); + } } /** diff --git a/plugins/PHPMailer/src/POP3.php b/plugins/PHPMailer/src/POP3.php index 186fe9fe..0ba96783 100644 --- a/plugins/PHPMailer/src/POP3.php +++ b/plugins/PHPMailer/src/POP3.php @@ -47,7 +47,7 @@ class POP3 * @var string * @deprecated This constant will be removed in PHPMailer 8.0. Use `PHPMailer::VERSION` instead. */ - const VERSION = '7.0.2'; + const VERSION = '7.1.1'; /** * Default POP3 port number. @@ -212,9 +212,9 @@ class POP3 } else { $this->tval = (int) $timeout; } - $this->do_debug = $debug_level; - $this->username = $username; - $this->password = $password; + $this->do_debug = (int) $debug_level; + $this->username = self::stripControls($username); + $this->password = self::stripControls($password); //Reset the error log $this->errors = []; //Connect @@ -319,7 +319,8 @@ class POP3 if (empty($password)) { $password = $this->password; } - + $username = self::stripControls($username); + $password = self::stripControls($password); //Send the Username $this->sendString("USER $username" . static::LE); $pop3_response = $this->getResponse(); @@ -407,7 +408,7 @@ class POP3 /** * Checks the POP3 server response. - * Looks for for +OK or -ERR. + * Looks for +OK or -ERR. * * @param string $string * @@ -467,4 +468,16 @@ class POP3 "errno: $errno errstr: $errstr; errfile: $errfile; errline: $errline" ); } + + /** + * Strip all control chars from a string. + * + * @param $string + * + * @return string + */ + protected static function stripControls($string) + { + return preg_replace('/[\x00-\x1F\x7F]/u', '', $string); + } } diff --git a/plugins/PHPMailer/src/SMTP.php b/plugins/PHPMailer/src/SMTP.php index 559b52c4..f0957b80 100644 --- a/plugins/PHPMailer/src/SMTP.php +++ b/plugins/PHPMailer/src/SMTP.php @@ -36,7 +36,7 @@ class SMTP * @var string * @deprecated This constant will be removed in PHPMailer 8.0. Use `PHPMailer::VERSION` instead. */ - const VERSION = '7.0.2'; + const VERSION = '7.1.1'; /** * SMTP line break constant. @@ -1289,7 +1289,7 @@ class SMTP * 3. EHLO has been sent - * $name == 'HELO'|'EHLO': returns the server name * $name == any other string: if extension $name exists, returns True - * or its options (e.g. AUTH mechanisms supported). Otherwise returns False. + * or its options (e.g. AUTH mechanisms supported). Otherwise, returns False. * * @param string $name Name of SMTP extension or 'HELO'|'EHLO' *