Make WordPress Core


Ignore:
Timestamp:
05/12/2021 10:34:22 PM (3 years ago)
Author:
peterwilsoncc
Message:

External libraries: Improve attachment handling in PHPMailer

Props: audrasjb, ayeshrajans, desrosj, peterwilsoncc, xknown.
Partially merges [50799] to the 4.0 branch.

Location:
branches/4.0
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • branches/4.0

  • branches/4.0/src/wp-includes/class-phpmailer.php

    r39791 r50864  
    12951295            // Sign with DKIM if enabled
    12961296            if (!empty($this->DKIM_domain)
    1297                 && !empty($this->DKIM_selector)
    1298                 && (!empty($this->DKIM_private_string)
    1299                    || (!empty($this->DKIM_private) && file_exists($this->DKIM_private))
     1297                and !empty($this->DKIM_selector)
     1298                and (!empty($this->DKIM_private_string)
     1299                    or (!empty($this->DKIM_private)
     1300                        and self::isPermittedPath($this->DKIM_private)
     1301                        and file_exists($this->DKIM_private)
     1302                    )
    13001303                )
    13011304            ) {
     
    14631466
    14641467    /**
     1468     * Check whether a file path is of a permitted type.
     1469     * Used to reject URLs and phar files from functions that access local file paths,
     1470     * such as addAttachment.
     1471     * @param string $path A relative or absolute path to a file.
     1472     * @return bool
     1473     */
     1474    protected static function isPermittedPath($path)
     1475    {
     1476        //Matches scheme definition from https://tools.ietf.org/html/rfc3986#section-3.1
     1477        return !preg_match('#^[a-z][a-z\d+.-]*://#i', $path);
     1478    }
     1479
     1480    /**
     1481     * Check whether a file path is safe, accessible, and readable.
     1482     *
     1483     * @param string $path A relative or absolute path to a file
     1484     *
     1485     * @return bool
     1486     */
     1487    protected static function fileIsAccessible($path)
     1488    {
     1489        if (!self::isPermittedPath($path)) {
     1490                return false;
     1491        }
     1492        $readable = file_exists($path);
     1493        //If not a UNC path (expected to start with \\), check read permission, see #2069
     1494        if (strpos($path, '\\\\') !== 0) {
     1495            $readable = $readable && is_readable($path);
     1496        }
     1497        return $readable;
     1498    }
     1499
     1500    /**
    14651501     * Send mail using the PHP mail() function.
    14661502     * @param string $header The message headers
     
    15181554    {
    15191555        if (!is_object($this->smtp)) {
    1520             require_once( 'class-smtp.php' );
     1556            require_once( 'class-smtp.php' );
    15211557            $this->smtp = new SMTP;
    15221558        }
     
    17851821        if ($langcode != 'en') {
    17861822            // Make sure language file path is readable
    1787             if (!is_readable($lang_file)) {
     1823            if (!self::fileIsAccessible($lang_file)) {
    17881824                $foundlang = false;
    17891825            } else {
     
    24962532     * Never use a user-supplied path to a file!
    24972533     * Returns false if the file could not be found or read.
     2534     * Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client.
     2535     * If you need to do that, fetch the resource yourself and pass it in via a local file or string.
    24982536     * @param string $path Path to the attachment.
    24992537     * @param string $name Overrides the attachment name.
     
    25072545    {
    25082546        try {
    2509             if (!@is_file($path)) {
     2547            if (!self::fileIsAccessible($path)) {
    25102548                throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE);
    25112549            }
     
    26882726    {
    26892727        try {
    2690             if (!is_readable($path)) {
     2728            if (!self::fileIsAccessible($path)) {
    26912729                throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE);
    26922730            }
     
    30323070    public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline')
    30333071    {
    3034         if (!@is_file($path)) {
     3072        if (!self::fileIsAccessible($path)) {
    30353073            $this->setError($this->lang('file_access') . $path);
    30363074            return false;
Note: See TracChangeset for help on using the changeset viewer.