[pkg-php-pear] Bug#905254: NMU libphp-phpmailer to update to the latest upstream version

Paul Gevers elbrus at debian.org
Sun Jan 13 09:49:53 GMT 2019


Control: tags 905254 + patch
Control: tags 905254 + pending

Dear maintainer,

I've prepared an NMU for libphp-phpmailer (versioned as 6.0.6-0.1) and
am about to uploaded it to DELAYED/15. Please feel free to tell me if I
should delay it longer.

I took the upstream file here:
https://github.com/PHPMailer/PHPMailer/archive/v6.0.6.tar.gz

Please find my changes to the debian packaging in the attached debdiff
(without the upstream changes to avoid a huge debdiff).

Regards.
Paul
Sent from the BSP in Venlo
-------------- next part --------------
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/changelog libphp-phpmailer-6.0.6/debian/changelog
--- libphp-phpmailer-5.2.14+dfsg/debian/changelog	2018-12-01 15:09:47.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/changelog	2019-01-13 09:30:40.000000000 +0100
@@ -1,3 +1,11 @@
+libphp-phpmailer (6.0.6-0.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * New upstream release (Closes: #905254)
+  * Drop patches, applied upstream
+
+ -- Paul Gevers <elbrus at debian.org>  Sun, 13 Jan 2019 09:30:40 +0100
+
 libphp-phpmailer (5.2.14+dfsg-2.4) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/docs libphp-phpmailer-6.0.6/debian/docs
--- libphp-phpmailer-5.2.14+dfsg/debian/docs	2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/docs	2019-01-13 09:30:40.000000000 +0100
@@ -1,3 +1 @@
 README.md
-docs
-test
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/install libphp-phpmailer-6.0.6/debian/install
--- libphp-phpmailer-5.2.14+dfsg/debian/install	2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/install	2019-01-13 09:30:40.000000000 +0100
@@ -1,3 +1,3 @@
 *.php		usr/share/php/libphp-phpmailer
-extras		usr/share/php/libphp-phpmailer
 language	usr/share/php/libphp-phpmailer
+src        	usr/share/php/libphp-phpmailer
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0001-Fix-actual-autoloader-path.patch libphp-phpmailer-6.0.6/debian/patches/0001-Fix-actual-autoloader-path.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0001-Fix-actual-autoloader-path.patch	2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/patches/0001-Fix-actual-autoloader-path.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,267 +0,0 @@
-From: =?utf-8?q?David_Pr=C3=A9vot?= <david at tilapin.org>
-Date: Sun, 6 Dec 2015 18:55:47 -0400
-Subject: Fix actual autoloader path
-
-Forwarded: not-needed
----
- README.md                     | 2 +-
- docs/extending.html           | 4 ++--
- examples/code_generator.phps  | 4 ++--
- examples/exceptions.phps      | 2 +-
- examples/gmail.phps           | 2 +-
- examples/gmail_xoauth.phps    | 4 ++--
- examples/mail.phps            | 2 +-
- examples/mailing_list.phps    | 2 +-
- examples/pop_before_smtp.phps | 2 +-
- examples/sendmail.phps        | 2 +-
- examples/signed-mail.phps     | 2 +-
- examples/smtp.phps            | 2 +-
- examples/smtp_check.phps      | 2 +-
- examples/smtp_no_auth.phps    | 2 +-
- examples/ssl_options.phps     | 2 +-
- get_oauth_token.php           | 2 +-
- test/bootstrap.php            | 2 +-
- 17 files changed, 20 insertions(+), 20 deletions(-)
-
-diff --git a/README.md b/README.md
-index 0ecfa5d..16efef8 100644
---- a/README.md
-+++ b/README.md
-@@ -68,7 +68,7 @@ While installing the entire package manually or with composer is simple, conveni
- 
- ```php
- <?php
--require 'PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- $mail = new PHPMailer;
- 
-diff --git a/docs/extending.html b/docs/extending.html
-index 4466a1d..1f68963 100644
---- a/docs/extending.html
-+++ b/docs/extending.html
-@@ -14,7 +14,7 @@ This demonstrates sending multiple email messages with binary attachments
- from a MySQL database using multipart/alternative messages.<p>
- 
- <pre>
--require 'PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- $mail = new PHPMailer();
- 
-@@ -71,7 +71,7 @@ PHP include file: my_phpmailer.php
- <p>
- 
- <pre>
--require 'PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- class my_phpmailer extends PHPMailer {
-     // Set default variables for all new objects
-diff --git a/examples/code_generator.phps b/examples/code_generator.phps
-index 2345856..5e26a25 100644
---- a/examples/code_generator.phps
-+++ b/examples/code_generator.phps
-@@ -4,7 +4,7 @@
-  * revised, updated and corrected 27/02/2013
-  * by matt.sturdy at gmail.com
-  */
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- $CFG['smtp_debug'] = 2; //0 == off, 1 for client output, 2 for client and server
- $CFG['smtp_debugoutput'] = 'html';
-@@ -40,7 +40,7 @@ $results_messages = array();
- 
- // $example_code represents the "final code" that we're using, and will
- // be shown to the user at the end.
--$example_code = "\nrequire_once '../PHPMailerAutoload.php';";
-+$example_code = "\nrequire_once 'libphp-phpmailer/PHPMailerAutoload.php';";
- $example_code .= "\n\n\$results_messages = array();";
- 
- $mail = new PHPMailer(true);  //PHPMailer instance with exceptions enabled
-diff --git a/examples/exceptions.phps b/examples/exceptions.phps
-index 0e941e7..97378b4 100644
---- a/examples/exceptions.phps
-+++ b/examples/exceptions.phps
-@@ -3,7 +3,7 @@
-  * This example shows how to make use of PHPMailer's exceptions for error handling.
-  */
- 
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- //Create a new PHPMailer instance
- //Passing true to the constructor enables the use of exceptions for error handling
-diff --git a/examples/gmail.phps b/examples/gmail.phps
-index b3cc02d..896a523 100644
---- a/examples/gmail.phps
-+++ b/examples/gmail.phps
-@@ -7,7 +7,7 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
- 
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/examples/gmail_xoauth.phps b/examples/gmail_xoauth.phps
-index d64483a..78c6746 100644
---- a/examples/gmail_xoauth.phps
-+++ b/examples/gmail_xoauth.phps
-@@ -7,11 +7,11 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
- 
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmaillibphp-phpmailer/PHPMailerAutoload.php';
- 
- //Load dependencies from composer
- //If this causes an error, run 'composer install'
--require '../vendor/autoload.php';
-+require 'libphp-phpmailer/autoload.php';
- 
- //Create a new PHPMailer instance
- $mail = new PHPMailerOAuth;
-diff --git a/examples/mail.phps b/examples/mail.phps
-index 8e129f4..41fcf36 100644
---- a/examples/mail.phps
-+++ b/examples/mail.phps
-@@ -3,7 +3,7 @@
-  * This example shows sending a message using PHP's mail() function.
-  */
- 
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/examples/mailing_list.phps b/examples/mailing_list.phps
-index 8644bb5..7f5245c 100644
---- a/examples/mailing_list.phps
-+++ b/examples/mailing_list.phps
-@@ -4,7 +4,7 @@ error_reporting(E_STRICT | E_ALL);
- 
- date_default_timezone_set('Etc/UTC');
- 
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- $mail = new PHPMailer;
- 
-diff --git a/examples/pop_before_smtp.phps b/examples/pop_before_smtp.phps
-index 164dfe8..97314b5 100644
---- a/examples/pop_before_smtp.phps
-+++ b/examples/pop_before_smtp.phps
-@@ -3,7 +3,7 @@
-  * This example shows how to use POP-before-SMTP for authentication.
-  */
- 
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- //Authenticate via POP3.
- //After this you should be allowed to submit messages over SMTP for a while.
-diff --git a/examples/sendmail.phps b/examples/sendmail.phps
-index a830e49..0c157b6 100644
---- a/examples/sendmail.phps
-+++ b/examples/sendmail.phps
-@@ -3,7 +3,7 @@
-  * This example shows sending a message using a local sendmail binary.
-  */
- 
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/examples/signed-mail.phps b/examples/signed-mail.phps
-index 9d70d01..1e8cf76 100644
---- a/examples/signed-mail.phps
-+++ b/examples/signed-mail.phps
-@@ -44,7 +44,7 @@
-  * STEP 3 - Code
-  */
- 
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- //Create a new PHPMailer instance
- $mail = new PHPMailer();
-diff --git a/examples/smtp.phps b/examples/smtp.phps
-index 7c6b023..1eb09f7 100644
---- a/examples/smtp.phps
-+++ b/examples/smtp.phps
-@@ -7,7 +7,7 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
- 
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/examples/smtp_check.phps b/examples/smtp_check.phps
-index c42ed0b..b3b80b9 100644
---- a/examples/smtp_check.phps
-+++ b/examples/smtp_check.phps
-@@ -8,7 +8,7 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
- 
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- //Create a new SMTP instance
- $smtp = new SMTP;
-diff --git a/examples/smtp_no_auth.phps b/examples/smtp_no_auth.phps
-index b590298..ab3306f 100644
---- a/examples/smtp_no_auth.phps
-+++ b/examples/smtp_no_auth.phps
-@@ -7,7 +7,7 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
- 
--require_once '../PHPMailerAutoload.php';
-+require_once 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/examples/ssl_options.phps b/examples/ssl_options.phps
-index cc41495..58d4c07 100644
---- a/examples/ssl_options.phps
-+++ b/examples/ssl_options.phps
-@@ -7,7 +7,7 @@
- //This should be done in your php.ini, but this is how to do it if you don't have access to that
- date_default_timezone_set('Etc/UTC');
- 
--require '../PHPMailerAutoload.php';
-+require 'libphp-phpmailer/PHPMailerAutoload.php';
- 
- //Create a new PHPMailer instance
- $mail = new PHPMailer;
-diff --git a/get_oauth_token.php b/get_oauth_token.php
-index 46eb28a..dcbe1a8 100644
---- a/get_oauth_token.php
-+++ b/get_oauth_token.php
-@@ -13,7 +13,7 @@
-  * PHP Version 5.4
-  */
- 
--require 'vendor/autoload.php';
-+require 'libphp-phpmailer/autoload.php';
- 
- session_start();
- 
-diff --git a/test/bootstrap.php b/test/bootstrap.php
-index 056c16d..50d12ba 100644
---- a/test/bootstrap.php
-+++ b/test/bootstrap.php
-@@ -1,5 +1,5 @@
- <?php
--require_once 'vendor/autoload.php';
-+require_once 'libphp-phpmailer/autoload.php';
- spl_autoload_register(function ($class) {
-     require_once strtr($class, '\\_', '//').'.php';
- });
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch libphp-phpmailer-6.0.6/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch	2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/patches/0002-Fix-CVE-2016-10033-CVE-2016-10045.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,106 +0,0 @@
-diff -Nur libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php
---- libphp-phpmailer-5.2.14+dfsg.orig/class.phpmailer.php	2015-11-01 10:15:28.000000000 +0000
-+++ libphp-phpmailer-5.2.14+dfsg.new/class.phpmailer.php	2017-01-02 14:20:47.484824213 +0000
-@@ -1329,19 +1329,24 @@
-      */
-     protected function sendmailSend($header, $body)
-     {
--        if ($this->Sender != '') {
-+        // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
-+        if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
-             if ($this->Mailer == 'qmail') {
--                $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
-+                $sendmailFmt = '%s -f%s';
-             } else {
--                $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
-+                $sendmailFmt = '%s -oi -f%s -t';
-             }
-         } else {
-             if ($this->Mailer == 'qmail') {
--                $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
-+                $sendmailFmt = '%s';
-             } else {
--                $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));
-+                $sendmailFmt = '%s -oi -t';
-             }
-         }
-+
-+        // TODO: If possible, this should be changed to escapeshellarg.  Needs thorough testing.
-+        $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
-+
-         if ($this->SingleTo) {
-             foreach ($this->SingleToArray as $toAddr) {
-                 if (!@$mail = popen($sendmail, 'w')) {
-@@ -1388,6 +1393,38 @@
-     }
- 
-     /**
-+     * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
-+     *
-+     * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
-+     * @param string $string The string to be validated
-+     * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
-+     * @access protected
-+     * @return boolean
-+     */
-+    protected static function isShellSafe($string)
-+    {
-+        // Future-proof
-+        if (escapeshellcmd($string) !== $string or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
-+            return false;
-+        }
-+
-+        $length = strlen($string);
-+
-+        for ($i = 0; $i < $length; $i++) {
-+            $c = $string[$i];
-+
-+            // All other characters have a special meaning in at least one common shell, including = and +.
-+            // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
-+            // Note that this does permit non-Latin alphanumeric characters based on the current locale.
-+            if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
-+                return false;
-+            }
-+        }
-+
-+        return true;
-+    }
-+
-+    /**
-      * Send mail using the PHP mail() function.
-      * @param string $header The message headers
-      * @param string $body The message body
-@@ -1404,12 +1441,14 @@
-         }
-         $to = implode(', ', $toArr);
- 
--        if (empty($this->Sender)) {
--            $params = ' ';
--        } else {
--            $params = sprintf('-f%s', $this->Sender);
-+        $params = null;
-+        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
-+            // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
-+            if (self::isShellSafe($this->Sender)) {
-+                $params = sprintf('-f%s', $this->Sender);
-+            }
-         }
--        if ($this->Sender != '' and !ini_get('safe_mode')) {
-+        if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
-             $old_from = ini_get('sendmail_from');
-             ini_set('sendmail_from', $this->Sender);
-         }
-@@ -1463,10 +1502,10 @@
-         if (!$this->smtpConnect($this->SMTPOptions)) {
-             throw new phpmailerException($this->lang('smtp_connect_failed'), self::STOP_CRITICAL);
-         }
--        if ('' == $this->Sender) {
--            $smtp_from = $this->From;
--        } else {
-+        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
-             $smtp_from = $this->Sender;
-+        } else {
-+            $smtp_from = $this->From;
-         }
-         if (!$this->smtp->mail($smtp_from)) {
-             $this->setError($this->lang('from_failed') . $smtp_from . ' : ' . implode(',', $this->smtp->getError()));
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0003-CVE-2017-5223.patch libphp-phpmailer-6.0.6/debian/patches/0003-CVE-2017-5223.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0003-CVE-2017-5223.patch	2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/patches/0003-CVE-2017-5223.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,92 +0,0 @@
-From: Markus Koschany <apo at debian.org>
-Date: Sat, 25 Feb 2017 19:00:40 +0100
-Subject: CVE-2017-5223
-
-It was discovered that there was a local file disclosure vulnerability in
-libphp-phpmailer, a email transfer class for PHP, where insufficient parsing of
-HTML messages could potentially be used by attacker to read a local file.
-
-Bug-Debian: https://bugs.debian.org/853232
-Origin: https://github.com/PHPMailer/PHPMailer/commit/ad4cb09682682da2217799a0c521d4cdc6753402
----
- class.phpmailer.php | 30 +++++++++++++++++++++++-------
- 1 file changed, 23 insertions(+), 7 deletions(-)
-
-diff --git a/class.phpmailer.php b/class.phpmailer.php
-index 8aa4752..5c43d1b 100644
---- a/class.phpmailer.php
-+++ b/class.phpmailer.php
-@@ -2418,6 +2418,7 @@ class PHPMailer
- 
-     /**
-      * Add an attachment from a path on the filesystem.
-+     * Never use a user-supplied path to a file!
-      * Returns false if the file could not be found or read.
-      * @param string $path Path to the attachment.
-      * @param string $name Overrides the attachment name.
-@@ -2943,6 +2944,7 @@ class PHPMailer
-      * displayed inline with the message, not just attached for download.
-      * This is used in HTML messages that embed the images
-      * the HTML refers to using the $cid value.
-+     * Never use a user-supplied path to a file!
-      * @param string $path Path to the attachment.
-      * @param string $cid Content ID of the attachment; Use this to reference
-      *        the content when using an embedded image in HTML.
-@@ -3306,10 +3308,14 @@ class PHPMailer
-      * Create a message from an HTML string.
-      * Automatically makes modifications for inline images and backgrounds
-      * and creates a plain-text version by converting the HTML.
--     * Overwrites any existing values in $this->Body and $this->AltBody
-+     * Overwrites any existing values in Body and AltBody
-+     * Do not source $message content from user input!
-+     * $basedir is prepended when handling relative URLs, e.g. <img src="/images/a.png"> and must not be empty
-+     * If you don't provide a $basedir, relative paths will be left untouched (and thus probably break in email)
-+     * If you don't want to apply these transformations to your HTML, just set Body and AltBody directly.
-      * @access public
-      * @param string $message HTML message string
--     * @param string $basedir baseline directory for path
-+     * @param string $basedir Absolute path to a base directory to prepend to relative paths to images
-      * @param boolean|callable $advanced Whether to use the internal HTML to text converter
-      *    or your own custom converter @see PHPMailer::html2text()
-      * @return string $message
-@@ -3318,6 +3324,10 @@ class PHPMailer
-     {
-         preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images);
-         if (array_key_exists(2, $images)) {
-+            if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
-+                // Ensure $basedir has a trailing /
-+                $basedir .= '/';
-+            }
-             foreach ($images[2] as $imgindex => $url) {
-                 // Convert data URIs into embedded images
-                 if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) {
-@@ -3335,18 +3345,24 @@ class PHPMailer
-                             $message
-                         );
-                     }
--                } elseif (substr($url, 0, 4) !== 'cid:' && !preg_match('#^[A-z]+://#', $url)) {
--                    // Do not change urls for absolute images (thanks to corvuscorax)
-+                    continue;
-+                }
-+                if (
-+                    // Only process relative URLs if a basedir is provided (i.e. no absolute local paths)
-+                    !empty($basedir)
-+                    // Ignore URLs containing parent dir traversal (..)
-+                    && (strpos($url, '..') === false)
-                     // Do not change urls that are already inline images
-+                    && substr($url, 0, 4) !== 'cid:'
-+                    // Do not change absolute URLs, including anonymous protocol
-+                    && !preg_match('#^[a-z][a-z0-9+.-]*:?//#i', $url)
-+                ) {
-                     $filename = basename($url);
-                     $directory = dirname($url);
-                     if ($directory == '.') {
-                         $directory = '';
-                     }
-                     $cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2
--                    if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
--                        $basedir .= '/';
--                    }
-                     if (strlen($directory) > 1 && substr($directory, -1) != '/') {
-                         $directory .= '/';
-                     }
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch libphp-phpmailer-6.0.6/debian/patches/0004-CVE-2018-19296.patch
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/0004-CVE-2018-19296.patch	2018-12-01 15:09:27.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/patches/0004-CVE-2018-19296.patch	1970-01-01 01:00:00.000000000 +0100
@@ -1,114 +0,0 @@
-From: Marcus Bointon <marcus at synchromedia.co.uk>
-Date: Thu, 15 Nov 2018 23:27:24 +0100
-Subject: Backport changes for CVE-2018-19296
-Origin: https://github.com/PHPMailer/PHPMailer/commit/f1231a9771505f4f34da060390d82eadb8448271
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2018-19296
-Bug-Debian: https://bugs.debian.org/913912
-
-[Salvatore Bonaccorso: Backport changes to 5.2.14: Check for permitted
-path for $this->DKIM_private before checking if file_exists following
-the logic applied for the upstream patch]
----
- class.phpmailer.php    | 31 ++++++++++++++++++++++++-------
- test/phpmailerTest.php | 16 ++++++++++++++++
- 2 files changed, 40 insertions(+), 7 deletions(-)
-
---- a/class.phpmailer.php
-+++ b/class.phpmailer.php
-@@ -1263,6 +1263,7 @@ class PHPMailer
-             if (!empty($this->DKIM_domain)
-                 && !empty($this->DKIM_private)
-                 && !empty($this->DKIM_selector)
-+                && self::isPermittedPath($this->DKIM_private)
-                 && file_exists($this->DKIM_private)) {
-                 $header_dkim = $this->DKIM_Add(
-                     $this->MIMEHeader . $this->mailHeader,
-@@ -1425,6 +1426,18 @@ class PHPMailer
-     }
- 
-     /**
-+     * Check whether a file path is of a permitted type.
-+     * Used to reject URLs and phar files from functions that access local file paths,
-+     * such as addAttachment.
-+     * @param string $path A relative or absolute path to a file.
-+     * @return bool
-+     */
-+    protected static function isPermittedPath($path)
-+    {
-+        return !preg_match('#^[a-z]+://#i', $path);
-+    }
-+
-+    /**
-      * Send mail using the PHP mail() function.
-      * @param string $header The message headers
-      * @param string $body The message body
-@@ -1723,7 +1736,7 @@ class PHPMailer
-         // There is no English translation file
-         if ($langcode != 'en') {
-             // Make sure language file path is readable
--            if (!is_readable($lang_file)) {
-+            if (!self::isPermittedPath($lang_file) or !is_readable($lang_file)) {
-                 $foundlang = false;
-             } else {
-                 // Overwrite language-specific strings.
-@@ -2420,6 +2433,8 @@ class PHPMailer
-      * Add an attachment from a path on the filesystem.
-      * Never use a user-supplied path to a file!
-      * Returns false if the file could not be found or read.
-+     * Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client.
-+     * If you need to do that, fetch the resource yourself and pass it in via a local file or string.
-      * @param string $path Path to the attachment.
-      * @param string $name Overrides the attachment name.
-      * @param string $encoding File encoding (see $Encoding).
-@@ -2431,7 +2446,7 @@ class PHPMailer
-     public function addAttachment($path, $name = '', $encoding = 'base64', $type = '', $disposition = 'attachment')
-     {
-         try {
--            if (!@is_file($path)) {
-+            if (!self::isPermittedPath($path) or !@is_file($path)) {
-                 throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE);
-             }
- 
-@@ -2612,7 +2627,7 @@ class PHPMailer
-     protected function encodeFile($path, $encoding = 'base64')
-     {
-         try {
--            if (!is_readable($path)) {
-+            if (!self::isPermittedPath($path) or !file_exists($path)) {
-                 throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE);
-             }
-             $magic_quotes = get_magic_quotes_runtime();
-@@ -2956,7 +2971,7 @@ class PHPMailer
-      */
-     public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline')
-     {
--        if (!@is_file($path)) {
-+        if (!self::isPermittedPath($path) or !@is_file($path)) {
-             $this->setError($this->lang('file_access') . $path);
-             return false;
-         }
---- a/test/phpmailerTest.php
-+++ b/test/phpmailerTest.php
-@@ -740,6 +740,22 @@ class PHPMailerTest extends PHPUnit_Fram
-     }
- 
-     /**
-+     * Rejection of non-local file attachments test.
-+     */
-+    public function testRejectNonLocalFileAttachment()
-+    {
-+        $this->assertFalse(
-+            $this->Mail->addAttachment('https://github.com/PHPMailer/PHPMailer/raw/master/README.md'),
-+            'addAttachment should reject remote URLs'
-+        );
-+
-+        $this->assertFalse(
-+            $this->Mail->addAttachment('phar://phar.php'),
-+            'addAttachment should reject phar resources'
-+        );
-+    }
-+
-+    /**
-      * Simple plain string attachment test.
-      */
-     public function testPlainStringAttachment()
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/patches/series libphp-phpmailer-6.0.6/debian/patches/series
--- libphp-phpmailer-5.2.14+dfsg/debian/patches/series	2018-12-01 14:57:11.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
@@ -1,4 +0,0 @@
-0001-Fix-actual-autoloader-path.patch
-0002-Fix-CVE-2016-10033-CVE-2016-10045.patch
-0003-CVE-2017-5223.patch
-0004-CVE-2018-19296.patch
diff -Nru libphp-phpmailer-5.2.14+dfsg/debian/rules libphp-phpmailer-6.0.6/debian/rules
--- libphp-phpmailer-5.2.14+dfsg/debian/rules	2018-12-01 14:32:02.000000000 +0100
+++ libphp-phpmailer-6.0.6/debian/rules	2019-01-13 09:30:40.000000000 +0100
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 %:
-	dh $@ --with phpcomposer -Xextras/README.md -Xgeneratedocs.sh
+	dh $@ --with phpcomposer
 
 override_dh_auto_build:
 	phpab \
@@ -9,9 +9,5 @@
 		--exclude '*/.pc/*' \
 		.
 
-override_dh_installdocs:
-	dh_installdocs
-	install extras/README.md debian/libphp-phpmailer/usr/share/doc/libphp-phpmailer/README-extras.md
-
 get-orig-source:
 	uscan --rename --verbose --force
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-php-pear/attachments/20190113/6b0bc795/attachment-0001.sig>


More information about the pkg-php-pear mailing list