Make WordPress Core

Opened 7 years ago

Last modified 16 months ago

#39714 new enhancement

Proposal: Use Full PHPMailer library

Reported by: ipstenu's profile Ipstenu Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: External Libraries Keywords: has-patch needs-refresh
Focuses: Cc:


Currently we're using a customized version of phpMailer that strips out some features. This is most evident when you compare class.smtp.php:



We're missing sections which plugin developers are using to support extended features (oauth, ntlm, etc). By leaving this out, we introduce a reason for them to include versions of PHPMailer which they then have to update in the case of security issues (such as the sort that predicated the 4.7.1 core release).

If we were to include the full library, it would be easier (and faster) for core to update in case of security issues, and it would provide more flexibility and security for plugins and (by extension) users of WordPress.

Attachments (3)

phpmailer.diff (748 bytes) - added by JeffMatson 7 years ago.
PHPMailer drop-in
phpmailer2.diff (525.3 KB) - added by JeffMatson 7 years ago.
Diff including new files.
39714-1.diff (4.8 KB) - added by Ipstenu 7 years ago.
Update PHPMailer to 5.2.2, no longer fork library

Download all attachments as: .zip

Change History (12)

#1 follow-up: @lukecavanagh
7 years ago


Seems like it is worth doing, with the number of SMTP or related plugins which did include their own version of PHPMailer.

#2 in reply to: ↑ 1 @Ipstenu
7 years ago

The majority of plugins included their own copy in order to include it period. It was merely an educational issue that caused that situation. The point of this ticket is that those who have a legit reason for the un-forked version of the library should not be excluded and put more at risk :)

#3 @dd32
7 years ago

I'm +1 for this. Merging a pristine copy of PHPMailer and not having to remove features for security updates is beneficial for all.

I can see arguments for keeping our current "slimmed down" version, as 99.99% of sites never use some of the functions we currently ship with (SMTP for example, or the SMTP authentication methods), but the fact it's not an official upstream version we can copy-paste irks me, and isn't good for security/file modification scanners.

#4 @Otto42
7 years ago

Seems like a good idea. We should investigate why these additional pieces were originally removed and figure out if that makes sense in the current circumstances.

If we can include upstream libraries unchanged, then we should. If we need to push things upstream to make that easier or better for all involved, then bonus points.

#5 @JeffMatson
7 years ago

I dropped in PHPMailer and things seem to be fine so far. Obviously, it would need a lot more testing. Diff attached.

At the moment, I left in the existing classes for backwards compatibility for anyone who might be calling them directly.

7 years ago

PHPMailer drop-in

7 years ago

Diff including new files.

7 years ago

Update PHPMailer to 5.2.2, no longer fork library

#6 @Ipstenu
7 years ago

I think the drop-in fix would be better. The second patch has _everything_ and we don't need all that :) Yet.

I simply updated the two files to the full version of the phpMailer source for 5.2.22 (the current stable)

#7 @Ipstenu
7 years ago

  • Keywords has-patch added

#8 @MattyRob
7 years ago

The reason these blocks of code are removed is because we don't include the necessary 'extras' used by PHPMailer to make these work.

For example the NTLM code block contains the following line:
require_once 'extras/ntlm_sasl_client.php';

This library file is not bundled with WordPress so this would result in an ugly looking failure.

In a similar way, the 'XOAUTH2' authentication method calls the $OAuth->getOauth64() function and as the class.phpmaileroauthgoogle.php library is also not included, this would fail.

To include these methods would require bundling these extra files from the PHPMailer package.

#9 @desrosj
16 months ago

  • Keywords needs-refresh added

It's been quite a bit of time. This one definitely will need a refresh and reevaluation with today's code base.

Note: See TracTickets for help on using tickets.