Make WordPress Core

Opened 4 years ago

Closed 20 months ago

#40576 closed defect (bug) (reported-upstream)

Sending emails broken in 4.7.2

Reported by: pavelevap Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.7.2
Component: External Libraries Keywords: close
Focuses: Cc:

Description (last modified by SergeyBiryukov)

This change in 4.7.2 probably broke sending emails for some websites: [39646]

PHPMailer was updated from 5.2.14 to 5.2.21 and several calls to escapeshellcmd() were added. But some users reported problems with emails not sending and we found some related errors, for example: Warning: escapeshellcmd() has been disabled for security reasons in .../wp-includes/class-phpmailer.php on line 1442.

Function escapeshellcmd() is disabled by webhoster and it is not possible to allow it. Everything works in 4.7.1 and stopped working after automatic update to 4.7.2.

Attachments (2)

40576.patch (745 bytes) - added by gk.loveweb 4 years ago.
40576.2.patch (818 bytes) - added by gk.loveweb 4 years ago.

Download all attachments as: .zip

Change History (7)

#1 @SergeyBiryukov
4 years ago

  • Component changed from General to Mail
  • Description modified (diff)
  • Milestone changed from Awaiting Review to 4.7.5

#2 @gk.loveweb
4 years ago

  • Keywords has-patch added

escapeshellarg() function should be used to escape individual arguments to shell functions coming from user input @pavelevap

4 years ago

4 years ago

#3 @dd32
4 years ago

  • Component changed from Mail to External Libraries
  • Keywords close added; has-patch removed
  • Milestone changed from 4.7.5 to Awaiting Review

Unfortunately simply switching from escapeshellcmd() to escapeshellarg() isn't viable here, and likely introduces security concerns. They were introduced to fix the issues surrounging CVE-2016-10033 & CVE-2016-10045. (Installs which disable escapeshellcmd() most likely also disable escapeshellarg() btw)

https://github.com/PHPMailer/PHPMailer/issues/966 & https://github.com/PHPMailer/PHPMailer/issues/948 are the upstream issues for this problem, which have unfortunately been closed as wontfix.

escapeshelllcmd() does not introduce any security implications for an install, and is used to protect against them instead - the ideal solution here will be for you contacting your host and asking them to remove that from the disable_functions list, as they're specifically preventing us from sending email securely.

If you wish to attempt to fix this, it should be fixed upstream within PHPMailer, and not within WordPress directly.

I'm removing this from the 4.7.x milestone as it's not something we can fix directly, and can be milestoned in the event a new PHPMailer build becomes available which can be used here.

Last edited 4 years ago by dd32 (previous) (diff)

#4 @pavelevap
4 years ago

I agree that it is mostly webhoster issue, but on the other hand WordPress was updated automatically and users were not awared of this serious issue. I found it when debugging why lead forms stopped working for one client. There should be some kind of warning message that emails stopped working when function is disabled or something similar, I guess. Now there is no warning, emails only silently fail :-(

#5 @desrosj
20 months ago

  • Milestone Awaiting Review deleted
  • Resolution set to reported-upstream
  • Status changed from new to closed

I'm going to close this out. As @dd32 mentioned above, this needs to be addressed upstream in PHPMailer in order to fix in WordPress.

#41750 updates PHPMailer to the latest version in Core.

Note: See TracTickets for help on using tickets.