Changeset 46097 for trunk/src/wp-includes/class-phpmailer.php
- Timestamp:
- 09/12/2019 02:36:42 PM (6 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/src/wp-includes/class-phpmailer.php
r39759 r46097 32 32 * @var string 33 33 */ 34 public $Version = '5.2.2 2';34 public $Version = '5.2.27'; 35 35 36 36 /** … … 441 441 * Parameters: 442 442 * boolean $result result of the send action 443 * string $to email address of the recipient444 * string$cc cc email addresses445 * string$bcc bcc email addresses443 * array $to email addresses of the recipients 444 * array $cc cc email addresses 445 * array $bcc bcc email addresses 446 446 * string $subject the subject 447 447 * string $body the email body … … 660 660 $this->exceptions = (boolean)$exceptions; 661 661 } 662 //Pick an appropriate debug output format automatically 663 $this->Debugoutput = (strpos(PHP_SAPI, 'cli') !== false ? 'echo' : 'html'); 662 664 } 663 665 … … 1295 1297 // Sign with DKIM if enabled 1296 1298 if (!empty($this->DKIM_domain) 1297 && !empty($this->DKIM_selector) 1298 && (!empty($this->DKIM_private_string) 1299 || (!empty($this->DKIM_private) && file_exists($this->DKIM_private)) 1299 and !empty($this->DKIM_selector) 1300 and (!empty($this->DKIM_private_string) 1301 or (!empty($this->DKIM_private) 1302 and self::isPermittedPath($this->DKIM_private) 1303 and file_exists($this->DKIM_private) 1304 ) 1300 1305 ) 1301 1306 ) { … … 1463 1468 1464 1469 /** 1470 * Check whether a file path is of a permitted type. 1471 * Used to reject URLs and phar files from functions that access local file paths, 1472 * such as addAttachment. 1473 * @param string $path A relative or absolute path to a file. 1474 * @return bool 1475 */ 1476 protected static function isPermittedPath($path) 1477 { 1478 return !preg_match('#^[a-z]+://#i', $path); 1479 } 1480 1481 /** 1465 1482 * Send mail using the PHP mail() function. 1466 1483 * @param string $header The message headers … … 1624 1641 foreach ($hosts as $hostentry) { 1625 1642 $hostinfo = array(); 1626 if (!preg_match('/^((ssl|tls):\/\/)*([a-zA-Z0-9\.-]*):?([0-9]*)$/', trim($hostentry), $hostinfo)) { 1643 if (!preg_match( 1644 '/^((ssl|tls):\/\/)*([a-zA-Z0-9\.-]*|\[[a-fA-F0-9:]+\]):?([0-9]*)$/', 1645 trim($hostentry), 1646 $hostinfo 1647 )) { 1627 1648 // Not a valid host entry 1649 $this->edebug('Ignoring invalid host: ' . $hostentry); 1628 1650 continue; 1629 1651 } … … 1744 1766 'no' => 'nb', 1745 1767 'se' => 'sv', 1768 'sr' => 'rs' 1746 1769 ); 1747 1770 … … 1785 1808 if ($langcode != 'en') { 1786 1809 // Make sure language file path is readable 1787 if (! is_readable($lang_file)) {1810 if (!self::isPermittedPath($lang_file) or !is_readable($lang_file)) { 1788 1811 $foundlang = false; 1789 1812 } else { … … 2026 2049 $result = ''; 2027 2050 2028 if ($this->MessageDate == '') { 2029 $this->MessageDate = self::rfcDate(); 2030 } 2031 $result .= $this->headerLine('Date', $this->MessageDate); 2051 $result .= $this->headerLine('Date', $this->MessageDate == '' ? self::rfcDate() : $this->MessageDate); 2032 2052 2033 2053 // To be created automatically by mail() … … 2496 2516 * Never use a user-supplied path to a file! 2497 2517 * Returns false if the file could not be found or read. 2518 * Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client. 2519 * If you need to do that, fetch the resource yourself and pass it in via a local file or string. 2498 2520 * @param string $path Path to the attachment. 2499 2521 * @param string $name Overrides the attachment name. … … 2507 2529 { 2508 2530 try { 2509 if (! @is_file($path)) {2531 if (!self::isPermittedPath($path) or !@is_file($path)) { 2510 2532 throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE); 2511 2533 } … … 2688 2710 { 2689 2711 try { 2690 if (! is_readable($path)) {2712 if (!self::isPermittedPath($path) or !file_exists($path)) { 2691 2713 throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE); 2692 2714 } … … 3032 3054 public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline') 3033 3055 { 3034 if (! @is_file($path)) {3056 if (!self::isPermittedPath($path) or !@is_file($path)) { 3035 3057 $this->setError($this->lang('file_access') . $path); 3036 3058 return false; … … 4035 4057 public function errorMessage() 4036 4058 { 4037 $errorMsg = '<strong>' . $this->getMessage() . "</strong><br />\n";4059 $errorMsg = '<strong>' . htmlspecialchars($this->getMessage()) . "</strong><br />\n"; 4038 4060 return $errorMsg; 4039 4061 }
Note: See TracChangeset
for help on using the changeset viewer.