WordPress.org

Make WordPress Core

Opened 14 months ago

Last modified 14 months ago

#40576 new defect (bug)

Sending emails broken in 4.7.2

Reported by: pavelevap Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 4.7.2
Component: External Libraries Keywords: close
Focuses: Cc:

Description (last modified by SergeyBiryukov)

This change in 4.7.2 probably broke sending emails for some websites: [39646]

PHPMailer was updated from 5.2.14 to 5.2.21 and several calls to escapeshellcmd() were added. But some users reported problems with emails not sending and we found some related errors, for example: Warning: escapeshellcmd() has been disabled for security reasons in .../wp-includes/class-phpmailer.php on line 1442.

Function escapeshellcmd() is disabled by webhoster and it is not possible to allow it. Everything works in 4.7.1 and stopped working after automatic update to 4.7.2.

Attachments (2)

40576.patch (745 bytes) - added by gk.loveweb 14 months ago.
40576.2.patch (818 bytes) - added by gk.loveweb 14 months ago.

Download all attachments as: .zip

Change History (6)

#1 @SergeyBiryukov
14 months ago

  • Component changed from General to Mail
  • Description modified (diff)
  • Milestone changed from Awaiting Review to 4.7.5

#2 @gk.loveweb
14 months ago

  • Keywords has-patch added

escapeshellarg() function should be used to escape individual arguments to shell functions coming from user input @pavelevap

@gk.loveweb
14 months ago

#3 @dd32
14 months ago

  • Component changed from Mail to External Libraries
  • Keywords close added; has-patch removed
  • Milestone changed from 4.7.5 to Awaiting Review

Unfortunately simply switching from escapeshellcmd() to escapeshellarg() isn't viable here, and likely introduces security concerns. They were introduced to fix the issues surrounging CVE-2016-10033 & CVE-2016-10045. (Installs which disable escapeshellcmd() most likely also disable escapeshellarg() btw)

https://github.com/PHPMailer/PHPMailer/issues/966 & https://github.com/PHPMailer/PHPMailer/issues/948 are the upstream issues for this problem, which have unfortunately been closed as wontfix.

escapeshelllcmd() does not introduce any security implications for an install, and is used to protect against them instead - the ideal solution here will be for you contacting your host and asking them to remove that from the disable_functions list, as they're specifically preventing us from sending email securely.

If you wish to attempt to fix this, it should be fixed upstream within PHPMailer, and not within WordPress directly.

I'm removing this from the 4.7.x milestone as it's not something we can fix directly, and can be milestoned in the event a new PHPMailer build becomes available which can be used here.

Last edited 14 months ago by dd32 (previous) (diff)

#4 @pavelevap
14 months ago

I agree that it is mostly webhoster issue, but on the other hand WordPress was updated automatically and users were not awared of this serious issue. I found it when debugging why lead forms stopped working for one client. There should be some kind of warning message that emails stopped working when function is disabled or something similar, I guess. Now there is no warning, emails only silently fail :-(

Note: See TracTickets for help on using tickets.