@@ -31,7 +31,7 @@ class PHPMailer
3131 * The PHPMailer Version number.
3232 * @var string
3333 */
34- public $ Version'5.2.19 ' ;
34+ public $ Version'5.2.21 ' ;
3535
3636 /**
3737 * Email priority.
@@ -1364,19 +1364,24 @@ public function postSend()
13641364 */
13651365 protected function sendmailSend ($ header$ body
13661366 {
1367- if (!empty ($ this Sender )) {
1367+ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
1368+ if (!empty ($ this Sender ) and self ::isShellSafe ($ this Sender )) {
13681369 if ($ this Mailer == 'qmail ' ) {
1369- $ sendmail sprintf ( '%s -f%s ' , escapeshellcmd ( $ this -> Sendmail ), escapeshellarg ( $ this -> Sender )) ;
1370+ $ sendmailFmt '%s -f%s ' ;
13701371 } else {
1371- $ sendmail sprintf ( '%s -oi -f%s -t ' , escapeshellcmd ( $ this -> Sendmail ), escapeshellarg ( $ this -> Sender )) ;
1372+ $ sendmailFmt '%s -oi -f%s -t ' ;
13721373 }
13731374 } else {
13741375 if ($ this Mailer == 'qmail ' ) {
1375- $ sendmail sprintf ( '%s ' , escapeshellcmd ( $ this -> Sendmail )) ;
1376+ $ sendmailFmt '%s ' ;
13761377 } else {
1377- $ sendmail sprintf ( '%s -oi -t ' , escapeshellcmd ( $ this -> Sendmail )) ;
1378+ $ sendmailFmt '%s -oi -t ' ;
13781379 }
13791380 }
1381+
1382+ // TODO: If possible, this should be changed to escapeshellarg. Needs thorough testing.
1383+ $ sendmailsprintf ($ sendmailFmtescapeshellcmd ($ this Sendmail ), $ this Sender );
1384+
13801385 if ($ this SingleTo ) {
13811386 foreach ($ this SingleToArray as $ toAddr
13821387 if (!@$ mailpopen ($ sendmail'w ' )) {
@@ -1422,6 +1427,40 @@ protected function sendmailSend($header, $body)
14221427 return true ;
14231428 }
14241429
1430+ /**
1431+ * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
1432+ *
1433+ * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
1434+ * @param string $string The string to be validated
1435+ * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
1436+ * @access protected
1437+ * @return boolean
1438+ */
1439+ protected static function isShellSafe ($ string
1440+ {
1441+ // Future-proof
1442+ if (escapeshellcmd ($ string$ string
1443+ or !in_array (escapeshellarg ($ stringarray ("' $ string' " , "\"$ string ))
1444+ ) {
1445+ return false ;
1446+ }
1447+
1448+ $ lengthstrlen ($ string
1449+
1450+ for ($ i0 ; $ i$ length$ i
1451+ $ c$ string$ i
1452+
1453+ // All other characters have a special meaning in at least one common shell, including = and +.
1454+ // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
1455+ // Note that this does permit non-Latin alphanumeric characters based on the current locale.
1456+ if (!ctype_alnum ($ cstrpos ('@_-. ' , $ cfalse ) {
1457+ return false ;
1458+ }
1459+ }
1460+
1461+ return true ;
1462+ }
1463+
14251464 /**
14261465 * Send mail using the PHP mail() function.
14271466 * @param string $header The message headers
@@ -1442,7 +1481,10 @@ protected function mailSend($header, $body)
14421481 $ paramsnull ;
14431482 //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
14441483 if (!empty ($ this Sender ) and $ this validateAddress ($ this Sender )) {
1445- $ paramssprintf ('-f%s ' , escapeshellarg ($ this Sender ));
1484+ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
1485+ if (self ::isShellSafe ($ this Sender )) {
1486+ $ paramssprintf ('-f%s ' , $ this Sender );
1487+ }
14461488 }
14471489 if (!empty ($ this Sender ) and !ini_get ('safe_mode ' ) and $ this validateAddress ($ this Sender )) {
14481490 $ old_fromini_get ('sendmail_from ' );
0 commit comments