diff --git a/src/wp-includes/PHPMailer/PHPMailer.php b/src/wp-includes/PHPMailer/PHPMailer.php
index 52e2027859..8b27efc461 100644
a
|
b
|
class PHPMailer |
748 | 748 | * |
749 | 749 | * @var string |
750 | 750 | */ |
751 | | const VERSION = '6.3.0'; |
| 751 | const VERSION = '6.4.0'; |
752 | 752 | |
753 | 753 | /** |
754 | 754 | * Error severity: message only, continue processing. |
… |
… |
public static function parseAddresses($addrstr, $useimap = true) |
1199 | 1199 | ) |
1200 | 1200 | ) { |
1201 | 1201 | //Decode the name part if it's present and encoded |
1202 | | if (property_exists($address, 'personal') && preg_match('/^=\?.*\?=$/', $address->personal)) { |
| 1202 | if ( |
| 1203 | property_exists($address, 'personal') && |
| 1204 | extension_loaded('mbstring') && |
| 1205 | preg_match('/^=\?.*\?=$/', $address->personal) |
| 1206 | ) { |
1203 | 1207 | $address->personal = mb_decode_mimeheader($address->personal); |
1204 | 1208 | } |
1205 | 1209 | |
… |
… |
protected function sendmailSend($header, $body) |
1682 | 1686 | //Sendmail docs: http://www.sendmail.org/~ca/email/man/sendmail.html |
1683 | 1687 | //Qmail docs: http://www.qmail.org/man/man8/qmail-inject.html |
1684 | 1688 | //Example problem: https://www.drupal.org/node/1057954 |
1685 | | //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. |
1686 | | if ('' === $this->Sender) { |
1687 | | $this->Sender = $this->From; |
1688 | | } |
1689 | 1689 | if (empty($this->Sender) && !empty(ini_get('sendmail_from'))) { |
1690 | 1690 | //PHP config has a sender address we can use |
1691 | 1691 | $this->Sender = ini_get('sendmail_from'); |
1692 | 1692 | } |
1693 | 1693 | //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. |
1694 | | //But sendmail requires this param, so fail without it |
1695 | 1694 | if (!empty($this->Sender) && static::validateAddress($this->Sender) && self::isShellSafe($this->Sender)) { |
1696 | 1695 | if ($this->Mailer === 'qmail') { |
1697 | 1696 | $sendmailFmt = '%s -f%s'; |
… |
… |
protected function sendmailSend($header, $body) |
1699 | 1698 | $sendmailFmt = '%s -oi -f%s -t'; |
1700 | 1699 | } |
1701 | 1700 | } else { |
1702 | | $this->edebug('Sender address unusable or missing: ' . $this->Sender); |
1703 | | return false; |
| 1701 | //allow sendmail to choose a default envelope sender. It may |
| 1702 | //seem preferable to force it to use the From header as with |
| 1703 | //SMTP, but that introduces new problems (see |
| 1704 | //<https://github.com/PHPMailer/PHPMailer/issues/2298>), and |
| 1705 | //it has historically worked this way. |
| 1706 | $sendmailFmt = '%s -oi -t'; |
1704 | 1707 | } |
1705 | 1708 | |
1706 | 1709 | $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender); |
… |
… |
protected function mailSend($header, $body) |
1860 | 1863 | //Qmail docs: http://www.qmail.org/man/man8/qmail-inject.html |
1861 | 1864 | //Example problem: https://www.drupal.org/node/1057954 |
1862 | 1865 | //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. |
1863 | | if ('' === $this->Sender) { |
1864 | | $this->Sender = $this->From; |
1865 | | } |
1866 | 1866 | if (empty($this->Sender) && !empty(ini_get('sendmail_from'))) { |
1867 | 1867 | //PHP config has a sender address we can use |
1868 | 1868 | $this->Sender = ini_get('sendmail_from'); |
diff --git a/src/wp-includes/PHPMailer/SMTP.php b/src/wp-includes/PHPMailer/SMTP.php
index 68f3aeccc5..9d85929ddf 100644
a
|
b
|
class SMTP |
35 | 35 | * |
36 | 36 | * @var string |
37 | 37 | */ |
38 | | const VERSION = '6.3.0'; |
| 38 | const VERSION = '6.4.0'; |
39 | 39 | |
40 | 40 | /** |
41 | 41 | * SMTP line break constant. |
… |
… |
public function authenticate( |
553 | 553 | } |
554 | 554 | //Send encoded username and password |
555 | 555 | if ( |
| 556 | //Format from https://tools.ietf.org/html/rfc4616#section-2 |
| 557 | //We skip the first field (it's forgery), so the string starts with a null byte |
556 | 558 | !$this->sendCommand( |
557 | 559 | 'User & Password', |
558 | 560 | base64_encode("\0" . $username . "\0" . $password), |