WordPress.org

Make WordPress Core

Changeset 50630


Ignore:
Timestamp:
04/01/2021 12:59:20 PM (4 months ago)
Author:
SergeyBiryukov
Message:

External Libraries: Upgrade PHPMailer from 6.3.0 to 6.4.0.

6.4.0 reverts a change that made the mail() and sendmail transports set the envelope sender if one isn't explicitly provided, as it was causing problems in specific PHP/server configurations.

Release post: https://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.0
Changelog: https://github.com/PHPMailer/PHPMailer/compare/v6.3.0...v6.4.0

Props Synchro, tigertech, ayeshrajans, galbaras, audrasjb, SergeyBiryukov, desrosj, ocean90.
Merges [50628] to the 5.7 branch.
Fixes #52822.

Location:
branches/5.7
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/5.7

  • branches/5.7/src/wp-includes/PHPMailer/PHPMailer.php

    r50397 r50630  
    749749     * @var string
    750750     */
    751     const VERSION = '6.3.0';
     751    const VERSION = '6.4.0';
    752752
    753753    /**
     
    12001200                ) {
    12011201                    //Decode the name part if it's present and encoded
    1202                     if (property_exists($address, 'personal') && preg_match('/^=\?.*\?=$/', $address->personal)) {
     1202                    if (
     1203                        property_exists($address, 'personal') &&
     1204                        extension_loaded('mbstring') &&
     1205                        preg_match('/^=\?.*\?=$/', $address->personal)
     1206                    ) {
    12031207                        $address->personal = mb_decode_mimeheader($address->personal);
    12041208                    }
     
    16831687        //Qmail docs: http://www.qmail.org/man/man8/qmail-inject.html
    16841688        //Example problem: https://www.drupal.org/node/1057954
    1685         //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
    1686         if ('' === $this->Sender) {
    1687             $this->Sender = $this->From;
    1688         }
    16891689        if (empty($this->Sender) && !empty(ini_get('sendmail_from'))) {
    16901690            //PHP config has a sender address we can use
     
    16921692        }
    16931693        //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
    1694         //But sendmail requires this param, so fail without it
    16951694        if (!empty($this->Sender) && static::validateAddress($this->Sender) && self::isShellSafe($this->Sender)) {
    16961695            if ($this->Mailer === 'qmail') {
     
    17001699            }
    17011700        } else {
    1702             $this->edebug('Sender address unusable or missing: ' . $this->Sender);
    1703             return false;
     1701            //allow sendmail to choose a default envelope sender. It may
     1702            //seem preferable to force it to use the From header as with
     1703            //SMTP, but that introduces new problems (see
     1704            //<https://github.com/PHPMailer/PHPMailer/issues/2298>), and
     1705            //it has historically worked this way.
     1706            $sendmailFmt = '%s -oi -t';
    17041707        }
    17051708
     
    18611864        //Example problem: https://www.drupal.org/node/1057954
    18621865        //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
    1863         if ('' === $this->Sender) {
    1864             $this->Sender = $this->From;
    1865         }
    18661866        if (empty($this->Sender) && !empty(ini_get('sendmail_from'))) {
    18671867            //PHP config has a sender address we can use
  • branches/5.7/src/wp-includes/PHPMailer/SMTP.php

    r50397 r50630  
    3636     * @var string
    3737     */
    38     const VERSION = '6.3.0';
     38    const VERSION = '6.4.0';
    3939
    4040    /**
     
    554554                //Send encoded username and password
    555555                if (
     556                    //Format from https://tools.ietf.org/html/rfc4616#section-2
     557                    //We skip the first field (it's forgery), so the string starts with a null byte
    556558                    !$this->sendCommand(
    557559                        'User & Password',
Note: See TracChangeset for help on using the changeset viewer.