[pkg-php-pear] Bug#905254: NMU libphp-phpmailer to update to the latest upstream version
Paul Gevers
elbrus at debian.org
Sun Jan 13 09:49:53 GMT 2019
Control: tags 905254 + patch
Control: tags 905254 + pending
Dear maintainer,
I've prepared an NMU for libphp-phpmailer (versioned as 6.0.6-0.1) and
am about to uploaded it to DELAYED/15. Please feel free to tell me if I
should delay it longer.
I took the upstream file here:
https://github.com/PHPMailer/PHPMailer/archive/v6.0.6.tar.gz
Please find my changes to the debian packaging in the attached debdiff
(without the upstream changes to avoid a huge debdiff).
Regards.
Paul
Sent from the BSP in Venlo
-------------- next part --------------
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/changelog libphp-phpmailer-6.0.6/debian/changelog
--- libphp-phpmailer-5.2.14+dfsg/debian/changelog 2018-12-01 15:09:47.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/changelog 2019-01-13 09:30:40.000000000 +0100
@@ -1,3 +1,11 @@
+libphp-phpmailer (6.0.6-0.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * New upstream release (Closes: #905254)
+ * Drop patches, applied upstream
+
+ -- Paul Gevers <elbrus at debian.org> Sun, 13 Jan 2019 09:30:40 +0100
+
libphp-phpmailer (5.2.14+dfsg-2.4) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/docs libphp-phpmailer-6.0.6/debian/docs
--- libphp-phpmailer-5.2.14+dfsg/debian/docs 2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/docs 2019-01-13 09:30:40.000000000 +0100
@@ -1,3 +1 @@
README.md
-docs
-test
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/install libphp-phpmailer-6.0.6/debian/install
--- libphp-phpmailer-5.2.14+dfsg/debian/install 2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/install 2019-01-13 09:30:40.000000000 +0100
@@ -1,3 +1,3 @@
*.php usr/share/php/libphp-phpmailer
-extras usr/share/php/libphp-phpmailer
language usr/share/php/libphp-phpmailer
+src usr/share/php/libphp-phpmailer
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0001-Fix-actual-autoloader-path.patch libphp-phpmailer-6.0.6/debian/patches/0001-Fix-actual-autoloader-path.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0001-Fix-actual-autoloader-path.patch 2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/patches/0001-Fix-actual-autoloader-path.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,267 +0,0 @@
-From: =?utf-8?q?David_Pr=C3=A9vot?= <david at tilapin.org>
-Date: Sun, 6 Dec 2015 18:55:47 -0400
-Subject: Fix actual autoloader path
-
-Forwarded: not-needed
----
- README.md | 2 +-
- docs/extending.html | 4 ++--
- examples/code_generator.phps | 4 ++--
- examples/exceptions.phps | 2 +-
- examples/gmail.phps | 2 +-
- examples/gmail_xoauth.phps | 4 ++--
- examples/mail.phps | 2 +-
- examples/mailing_list.phps | 2 +-
- examples/pop_before_smtp.phps | 2 +-
- examples/sendmail.phps | 2 +-
- examples/signed-mail.phps | 2 +-
- examples/smtp.phps | 2 +-
- examples/smtp_check.phps | 2 +-
- examples/smtp_no_auth.phps | 2 +-
- examples/ssl_options.phps | 2 +-
- get_oauth_token.php | 2 +-
- test/bootstrap.php | 2 +-
- 17 files changed, 20 insertions(+), 20 deletions(-)
-
-diff --git a/README.md b/README.md
-index 0ecfa5d..16efef8 100644
---- a/README.md
-+++ b/README.md
-@@ -68,7 +68,7 @@ While installing the entire package manually or with composer is simple, conveni
-
- ```php
- <?php
--require 'PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- $mail = new PHPMailer;
-
-diff --git a/docs/extending.html b/docs/extending.html
-index 4466a1d..1f68963 100644
---- a/docs/extending.html
-+++ b/docs/extending.html
-@@ -14,7 +14,7 @@ This demonstrates sending multiple email messages with binary attachments
- from a MySQL database using multipart/alternative messages.<p>
-
- <pre>
--require 'PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- $mail = new PHPMailer();
-
-@@ -71,7 +71,7 @@ PHP include file: my_phpmailer.php
- <p>
-
- <pre>
--require 'PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- class my_phpmailer extends PHPMailer {
- // Set default variables for all new objects
-diff --git a/examples/code_generator.phps b/examples/code_generator.phps
-index 2345856..5e26a25 100644
---- a/examples/code_generator.phps
-+++ b/examples/code_generator.phps
-@@ -4,7 +4,7 @@
- * revised, updated and corrected 27/02/2013
- * by matt.sturdy at gmail.com
- */
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- $CFG['smtp_debug'] = 2; //0 == off, 1 for client output, 2 for client and server
- $CFG['smtp_debugoutput'] = 'html';
-@@ -40,7 +40,7 @@ $results_messages = array();
-
- // $example_code represents the "final code" that we're using, and will
- // be shown to the user at the end.
--$example_code = "\nrequire_once '../PHPMailerAutoload.php';";
-+$example_code = "\nrequire_once 'libphp-phpmailer/PHPMailerAutoload.php';";
- $example_code .= "\n\n\$results_messages = array();";
-
- $mail = new PHPMailer(true); //PHPMailer instance with exceptions enabled
-diff --git a/examples/exceptions.phps b/examples/exceptions.phps
-index 0e941e7..97378b4 100644
---- a/examples/exceptions.phps
-+++ b/examples/exceptions.phps
-@@ -3,7 +3,7 @@
- * This example shows how to make use of PHPMailer's exceptions for error handling.
- */
-
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- //Create a new PHPMailer instance
- //Passing true to the constructor enables the use of exceptions for error handling
-diff --git a/examples/gmail.phps b/examples/gmail.phps
-index b3cc02d..896a523 100644
---- a/examples/gmail.phps
-+++ b/examples/gmail.phps
-@@ -7,7 +7,7 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
-
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/examples/gmail_xoauth.phps b/examples/gmail_xoauth.phps
-index d64483a..78c6746 100644
---- a/examples/gmail_xoauth.phps
-+++ b/examples/gmail_xoauth.phps
-@@ -7,11 +7,11 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
-
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmaillibphp-phpmailer/PHPMailerAutoload.php';
-
- //Load dependencies from composer
- //If this causes an error, run 'composer install'
--require '../vendor/autoload.php';
-+require 'libphp-phpmailer/autoload.php';
-
- //Create a new PHPMailer instance
- $mail = new PHPMailerOAuth;
-diff --git a/examples/mail.phps b/examples/mail.phps
-index 8e129f4..41fcf36 100644
---- a/examples/mail.phps
-+++ b/examples/mail.phps
-@@ -3,7 +3,7 @@
- * This example shows sending a message using PHP's mail() function.
- */
-
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/examples/mailing_list.phps b/examples/mailing_list.phps
-index 8644bb5..7f5245c 100644
---- a/examples/mailing_list.phps
-+++ b/examples/mailing_list.phps
-@@ -4,7 +4,7 @@ error_reporting(E_STRICT | E_ALL);
-
- date_default_timezone_set('Etc/UTC');
-
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- $mail = new PHPMailer;
-
-diff --git a/examples/pop_before_smtp.phps b/examples/pop_before_smtp.phps
-index 164dfe8..97314b5 100644
---- a/examples/pop_before_smtp.phps
-+++ b/examples/pop_before_smtp.phps
-@@ -3,7 +3,7 @@
- * This example shows how to use POP-before-SMTP for authentication.
- */
-
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- //Authenticate via POP3.
- //After this you should be allowed to submit messages over SMTP for a while.
-diff --git a/examples/sendmail.phps b/examples/sendmail.phps
-index a830e49..0c157b6 100644
---- a/examples/sendmail.phps
-+++ b/examples/sendmail.phps
-@@ -3,7 +3,7 @@
- * This example shows sending a message using a local sendmail binary.
- */
-
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/examples/signed-mail.phps b/examples/signed-mail.phps
-index 9d70d01..1e8cf76 100644
---- a/examples/signed-mail.phps
-+++ b/examples/signed-mail.phps
-@@ -44,7 +44,7 @@
- * STEP 3 - Code
- */
-
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- //Create a new PHPMailer instance
- $mail = new PHPMailer();
-diff --git a/examples/smtp.phps b/examples/smtp.phps
-index 7c6b023..1eb09f7 100644
---- a/examples/smtp.phps
-+++ b/examples/smtp.phps
-@@ -7,7 +7,7 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
-
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/examples/smtp_check.phps b/examples/smtp_check.phps
-index c42ed0b..b3b80b9 100644
---- a/examples/smtp_check.phps
-+++ b/examples/smtp_check.phps
-@@ -8,7 +8,7 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
-
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- //Create a new SMTP instance
- $smtp = new SMTP;
-diff --git a/examples/smtp_no_auth.phps b/examples/smtp_no_auth.phps
-index b590298..ab3306f 100644
---- a/examples/smtp_no_auth.phps
-+++ b/examples/smtp_no_auth.phps
-@@ -7,7 +7,7 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
-
--require_once '../PHPMailerAutoload.php';
-+require_once 'libphp-phpmailer/PHPMailerAutoload.php';
-
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/examples/ssl_options.phps b/examples/ssl_options.phps
-index cc41495..58d4c07 100644
---- a/examples/ssl_options.phps
-+++ b/examples/ssl_options.phps
-@@ -7,7 +7,7 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
-
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
-
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/get_oauth_token.php b/get_oauth_token.php
-index 46eb28a..dcbe1a8 100644
---- a/get_oauth_token.php
-+++ b/get_oauth_token.php
-@@ -13,7 +13,7 @@
- * PHP Version 5.4
- */
-
--require 'vendor/autoload.php';
-+require 'libphp-phpmailer/autoload.php';
-
- session_start();
-
-diff --git a/test/bootstrap.php b/test/bootstrap.php
-index 056c16d..50d12ba 100644
---- a/test/bootstrap.php
-+++ b/test/bootstrap.php
-@@ -1,5 +1,5 @@
- <?php
--require_once 'vendor/autoload.php';
-+require_once 'libphp-phpmailer/autoload.php';
- spl_autoload_register(function ($class) {
- require_once strtr($class, '\\_', '//').'.php';
- });
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch libphp-phpmailer-6.0.6/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch 2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,106 +0,0 @@
-diff -Nur libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php
---- libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php 2015-11-01 10:15:28.000000000 +0000
-+++ libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php 2017-01-02 14:20:47.484824213 +0000
-@@ -1329,19 +1329,24 @@
- */
- protected function sendmailSend($header, $body)
- {
-- if ($this->Sender != '') {
-+ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
-+ if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
- if ($this->Mailer == 'qmail') {
-- $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
-+ $sendmailFmt = '%s -f%s';
- } else {
-- $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
-+ $sendmailFmt = '%s -oi -f%s -t';
- }
- } else {
- if ($this->Mailer == 'qmail') {
-- $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
-+ $sendmailFmt = '%s';
- } else {
-- $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));
-+ $sendmailFmt = '%s -oi -t';
- }
- }
-+
-+ // TODO: If possible, this should be changed to escapeshellarg. Needs thorough testing.
-+ $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
-+
- if ($this->SingleTo) {
- foreach ($this->SingleToArray as $toAddr) {
- if (!@$mail = popen($sendmail, 'w')) {
-@@ -1388,6 +1393,38 @@
- }
-
- /**
-+ * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
-+ *
-+ * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
-+ * @param string $string The string to be validated
-+ * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
-+ * @access protected
-+ * @return boolean
-+ */
-+ protected static function isShellSafe($string)
-+ {
-+ // Future-proof
-+ if (escapeshellcmd($string) !== $string or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
-+ return false;
-+ }
-+
-+ $length = strlen($string);
-+
-+ for ($i = 0; $i < $length; $i++) {
-+ $c = $string[$i];
-+
-+ // All other characters have a special meaning in at least one common shell, including = and +.
-+ // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
-+ // Note that this does permit non-Latin alphanumeric characters based on the current locale.
-+ if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
-+ return false;
-+ }
-+ }
-+
-+ return true;
-+ }
-+
-+ /**
- * Send mail using the PHP mail() function.
- * @param string $header The message headers
- * @param string $body The message body
-@@ -1404,12 +1441,14 @@
- }
- $to = implode(', ', $toArr);
-
-- if (empty($this->Sender)) {
-- $params = ' ';
-- } else {
-- $params = sprintf('-f%s', $this->Sender);
-+ $params = null;
-+ if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
-+ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
-+ if (self::isShellSafe($this->Sender)) {
-+ $params = sprintf('-f%s', $this->Sender);
-+ }
- }
-- if ($this->Sender != '' and !ini_get('safe_mode')) {
-+ if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
- $old_from = ini_get('sendmail_from');
- ini_set('sendmail_from', $this->Sender);
- }
-@@ -1463,10 +1502,10 @@
- if (!$this->smtpConnect($this->SMTPOptions)) {
- throw new phpmailerException($this->lang('smtp_connect_failed'), self::STOP_CRITICAL);
- }
-- if ('' == $this->Sender) {
-- $smtp_from = $this->From;
-- } else {
-+ if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
- $smtp_from = $this->Sender;
-+ } else {
-+ $smtp_from = $this->From;
- }
- if (!$this->smtp->mail($smtp_from)) {
- $this->setError($this->lang('from_failed') . $smtp_from . ' : ' . implode(',', $this->smtp->getError()));
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0003-CVE-2017-5223.patch libphp-phpmailer-6.0.6/debian/patches/0003-CVE-2017-5223.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0003-CVE-2017-5223.patch 2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/patches/0003-CVE-2017-5223.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,92 +0,0 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 25 Feb 2017 19:00:40 +0100
-Subject: CVE-2017-5223
-
-It was discovered that there was a local file disclosure vulnerability in
-libphp-phpmailer, a email transfer class for PHP, where insufficient parsing of
-HTML messages could potentially be used by attacker to read a local file.
-
-Bug-Debian: https://bugs.debian.org/853232
-Origin: https://github.com/PHPMailer/PHPMailer/commit/ad4cb09682682da2217799a0c521d4cdc6753402
----
- class.phpmailer.php | 30 +++++++++++++++++++++++-------
- 1 file changed, 23 insertions(+), 7 deletions(-)
-
-diff --git a/class.phpmailer.php b/class.phpmailer.php
-index 8aa4752..5c43d1b 100644
---- a/class.phpmailer.php
-+++ b/class.phpmailer.php
-@@ -2418,6 +2418,7 @@ class PHPMailer
-
- /**
- * Add an attachment from a path on the filesystem.
-+ * Never use a user-supplied path to a file!
- * Returns false if the file could not be found or read.
- * @param string $path Path to the attachment.
- * @param string $name Overrides the attachment name.
-@@ -2943,6 +2944,7 @@ class PHPMailer
- * displayed inline with the message, not just attached for download.
- * This is used in HTML messages that embed the images
- * the HTML refers to using the $cid value.
-+ * Never use a user-supplied path to a file!
- * @param string $path Path to the attachment.
- * @param string $cid Content ID of the attachment; Use this to reference
- * the content when using an embedded image in HTML.
-@@ -3306,10 +3308,14 @@ class PHPMailer
- * Create a message from an HTML string.
- * Automatically makes modifications for inline images and backgrounds
- * and creates a plain-text version by converting the HTML.
-- * Overwrites any existing values in $this->Body and $this->AltBody
-+ * Overwrites any existing values in Body and AltBody
-+ * Do not source $message content from user input!
-+ * $basedir is prepended when handling relative URLs, e.g. <img src="/images/a.png"> and must not be empty
-+ * If you don't provide a $basedir, relative paths will be left untouched (and thus probably break in email)
-+ * If you don't want to apply these transformations to your HTML, just set Body and AltBody directly.
- * @access public
- * @param string $message HTML message string
-- * @param string $basedir baseline directory for path
-+ * @param string $basedir Absolute path to a base directory to prepend to relative paths to images
- * @param boolean|callable $advanced Whether to use the internal HTML to text converter
- * or your own custom converter @see PHPMailer::html2text()
- * @return string $message
-@@ -3318,6 +3324,10 @@ class PHPMailer
- {
- preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images);
- if (array_key_exists(2, $images)) {
-+ if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
-+ // Ensure $basedir has a trailing /
-+ $basedir .= '/';
-+ }
- foreach ($images[2] as $imgindex => $url) {
- // Convert data URIs into embedded images
- if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) {
-@@ -3335,18 +3345,24 @@ class PHPMailer
- $message
- );
- }
-- } elseif (substr($url, 0, 4) !== 'cid:' && !preg_match('#^[A-z]+://#', $url)) {
-- // Do not change urls for absolute images (thanks to corvuscorax)
-+ continue;
-+ }
-+ if (
-+ // Only process relative URLs if a basedir is provided (i.e. no absolute local paths)
-+ !empty($basedir)
-+ // Ignore URLs containing parent dir traversal (..)
-+ && (strpos($url, '..') === false)
- // Do not change urls that are already inline images
-+ && substr($url, 0, 4) !== 'cid:'
-+ // Do not change absolute URLs, including anonymous protocol
-+ && !preg_match('#^[a-z][a-z0-9+.-]*:?//#i', $url)
-+ ) {
- $filename = basename($url);
- $directory = dirname($url);
- if ($directory == '.') {
- $directory = '';
- }
- $cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2
-- if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
-- $basedir .= '/';
-- }
- if (strlen($directory) > 1 && substr($directory, -1) != '/') {
- $directory .= '/';
- }
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch libphp-phpmailer-6.0.6/debian/patches/0004-CVE-2018-19296.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch 2018-12-01 15:09:27.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/patches/0004-CVE-2018-19296.patch 1970-01-01 01:00:00.000000000 +0100
@@ -1,114 +0,0 @@
-From: Marcus Bointon <marcus at synchromedia.co.uk>
-Date: Thu, 15 Nov 2018 23:27:24 +0100
-Subject: Backport changes for CVE-2018-19296
-Origin: https://github.com/PHPMailer/PHPMailer/commit/f1231a9771505f4f34da060390d82eadb8448271
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19296
-Bug-Debian: https://bugs.debian.org/913912
-
-[Salvatore Bonaccorso: Backport changes to 5.2.14: Check for permitted
-path for $this->DKIM_private before checking if file_exists following
-the logic applied for the upstream patch]
----
- class.phpmailer.php | 31 ++++++++++++++++++++++++-------
- test/phpmailerTest.php | 16 ++++++++++++++++
- 2 files changed, 40 insertions(+), 7 deletions(-)
-
---- a/class.phpmailer.php
-+++ b/class.phpmailer.php
-@@ -1263,6 +1263,7 @@ class PHPMailer
- if (!empty($this->DKIM_domain)
- && !empty($this->DKIM_private)
- && !empty($this->DKIM_selector)
-+ && self::isPermittedPath($this->DKIM_private)
- && file_exists($this->DKIM_private)) {
- $header_dkim = $this->DKIM_Add(
- $this->MIMEHeader . $this->mailHeader,
-@@ -1425,6 +1426,18 @@ class PHPMailer
- }
-
- /**
-+ * Check whether a file path is of a permitted type.
-+ * Used to reject URLs and phar files from functions that access local file paths,
-+ * such as addAttachment.
-+ * @param string $path A relative or absolute path to a file.
-+ * @return bool
-+ */
-+ protected static function isPermittedPath($path)
-+ {
-+ return !preg_match('#^[a-z]+://#i', $path);
-+ }
-+
-+ /**
- * Send mail using the PHP mail() function.
- * @param string $header The message headers
- * @param string $body The message body
-@@ -1723,7 +1736,7 @@ class PHPMailer
- // There is no English translation file
- if ($langcode != 'en') {
- // Make sure language file path is readable
-- if (!is_readable($lang_file)) {
-+ if (!self::isPermittedPath($lang_file) or !is_readable($lang_file)) {
- $foundlang = false;
- } else {
- // Overwrite language-specific strings.
-@@ -2420,6 +2433,8 @@ class PHPMailer
- * Add an attachment from a path on the filesystem.
- * Never use a user-supplied path to a file!
- * Returns false if the file could not be found or read.
-+ * Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client.
-+ * If you need to do that, fetch the resource yourself and pass it in via a local file or string.
- * @param string $path Path to the attachment.
- * @param string $name Overrides the attachment name.
- * @param string $encoding File encoding (see $Encoding).
-@@ -2431,7 +2446,7 @@ class PHPMailer
- public function addAttachment($path, $name = '', $encoding = 'base64', $type = '', $disposition = 'attachment')
- {
- try {
-- if (!@is_file($path)) {
-+ if (!self::isPermittedPath($path) or !@is_file($path)) {
- throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE);
- }
-
-@@ -2612,7 +2627,7 @@ class PHPMailer
- protected function encodeFile($path, $encoding = 'base64')
- {
- try {
-- if (!is_readable($path)) {
-+ if (!self::isPermittedPath($path) or !file_exists($path)) {
- throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE);
- }
- $magic_quotes = get_magic_quotes_runtime();
-@@ -2956,7 +2971,7 @@ class PHPMailer
- */
- public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline')
- {
-- if (!@is_file($path)) {
-+ if (!self::isPermittedPath($path) or !@is_file($path)) {
- $this->setError($this->lang('file_access') . $path);
- return false;
- }
---- a/test/phpmailerTest.php
-+++ b/test/phpmailerTest.php
-@@ -740,6 +740,22 @@ class PHPMailerTest extends PHPUnit_Fram
- }
-
- /**
-+ * Rejection of non-local file attachments test.
-+ */
-+ public function testRejectNonLocalFileAttachment()
-+ {
-+ $this->assertFalse(
-+ $this->Mail->addAttachment('https://github.com/PHPMailer/PHPMailer/raw/master/README.md'),
-+ 'addAttachment should reject remote URLs'
-+ );
-+
-+ $this->assertFalse(
-+ $this->Mail->addAttachment('phar://phar.php'),
-+ 'addAttachment should reject phar resources'
-+ );
-+ }
-+
-+ /**
- * Simple plain string attachment test.
- */
- public function testPlainStringAttachment()
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/series libphp-phpmailer-6.0.6/debian/patches/series
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/series 2018-12-01 14:57:11.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
@@ -1,4 +0,0 @@
-0001-Fix-actual-autoloader-path.patch
-0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
-0003-CVE-2017-5223.patch
-0004-CVE-2018-19296.patch
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/rules libphp-phpmailer-6.0.6/debian/rules
--- libphp-phpmailer-5.2.14+dfsg/debian/rules 2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/rules 2019-01-13 09:30:40.000000000 +0100
@@ -1,6 +1,6 @@
#!/usr/bin/make -f
%:
- dh $@ --with phpcomposer -Xextras/README.md -Xgeneratedocs.sh
+ dh $@ --with phpcomposer
override_dh_auto_build:
phpab \
@@ -9,9 +9,5 @@
--exclude '*/.pc/*' \
.
-override_dh_installdocs:
- dh_installdocs
- install extras/README.md debian/libphp-phpmailer/usr/share/doc/libphp-phpmailer/README-extras.md
-
get-orig-source:
uscan --rename --verbose --force
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20190113/6b0bc795/attachment-0001.sig>
More information about the pkg-php-pear
mailing list