[Web] Update composer libs, fixes PHPMailer security issue

2021-05-04 20:46:05 +02:00
parent 0cbd4ec273
commit af57a5312b
35 changed files with 409 additions and 1153 deletions
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/SECURITY.md
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/SECURITY.md
@@ -2,6 +2,8 @@

 Please disclose any security issues or vulnerabilities found through [Tidelift's coordinated disclosure system](https://tidelift.com/security) or to the maintainers privately.

+PHPMailer versions between 6.1.8 and 6.4.0 contain a regression of the earlier CVE-2018-19296 object injection vulnerability as a result of [a fix for Windows UNC paths in 6.1.8](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9). Recorded as [CVE-2020-36326](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-36326). Reported by Fariskhi Vidyan via Tidelift. 6.4.1 fixes this issue, and also enforces stricter checks for URL schemes in local path contexts.
+
 PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs in `Content-Type` and `Content-Disposition` when filenames passed into `addAttachment` and other methods that accept attachment names contain double quote characters, in contravention of RFC822 3.4.1. No specific vulnerability has been found relating to this, but it could allow file attachments to bypass attachment filters that are based on matching filename extensions. Recorded as [CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). Reported by Elar Lang of Clarified Security.

 PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing `phar://` paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded as [CVE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296). See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Sehun Oh of cyberone.kr.
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/VERSION
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/VERSION
@@ -1 +1 @@
-6.4.0
+6.4.1
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/composer.json
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/composer.json
@@ -57,5 +57,9 @@
            "PHPMailer\\Test\\": "test/"
        }
    },
-    "license": "LGPL-2.1-only"
+    "license": "LGPL-2.1-only",
+    "scripts": {
+        "check": "./vendor/bin/phpcs",
+        "test": "./vendor/bin/phpunit"
+    }
 }
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-uk.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/language/phpmailer.lang-uk.php
@@ -16,11 +16,11 @@ $PHPMAILER_LANG['file_access']          = 'Немає доступу до фай
 $PHPMAILER_LANG['file_open']            = 'Помилка файлової системи: не вдається відкрити файл: ';
 $PHPMAILER_LANG['from_failed']          = 'Невірна адреса відправника: ';
 $PHPMAILER_LANG['instantiate']          = 'Неможливо запустити функцію mail().';
-$PHPMAILER_LANG['provide_address']      = 'Будь-ласка, введіть хоча б одну email-адресу отримувача.';
+$PHPMAILER_LANG['provide_address']      = 'Будь ласка, введіть хоча б одну email-адресу отримувача.';
 $PHPMAILER_LANG['mailer_not_supported'] = ' - поштовий сервер не підтримується.';
 $PHPMAILER_LANG['recipients_failed']    = 'Помилка SMTP: не вдалося відправлення для таких отримувачів: ';
 $PHPMAILER_LANG['empty_message']        = 'Пусте повідомлення';
-$PHPMAILER_LANG['invalid_address']      = 'Не відправлено через невірний формат email-адреси: ';
+$PHPMAILER_LANG['invalid_address']      = 'Не відправлено через неправильний формат email-адреси: ';
 $PHPMAILER_LANG['signing']              = 'Помилка підпису: ';
 $PHPMAILER_LANG['smtp_connect_failed']  = 'Помилка з\'єднання з SMTP-сервером';
 $PHPMAILER_LANG['smtp_error']           = 'Помилка SMTP-сервера: ';
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/src/PHPMailer.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/src/PHPMailer.php
@@ -748,7 +748,7 @@ class PHPMailer
     *
     * @var string
     */
-    const VERSION = '6.4.0';
+    const VERSION = '6.4.1';

    /**
     * Error severity: message only, continue processing.
@@ -1721,9 +1721,10 @@ class PHPMailer
                fwrite($mail, $header);
                fwrite($mail, $body);
                $result = pclose($mail);
+                $addrinfo = static::parseAddresses($toAddr);
                $this->doCallback(
                    ($result === 0),
-                    [$toAddr],
+                    [[$addrinfo['address'], $addrinfo['name']]],
                    $this->cc,
                    $this->bcc,
                    $this->Subject,
@@ -1810,7 +1811,8 @@ class PHPMailer
     */
    protected static function isPermittedPath($path)
    {
-        return !preg_match('#^[a-z]+://#i', $path);
+        //Matches scheme definition from https://tools.ietf.org/html/rfc3986#section-3.1
+        return !preg_match('#^[a-z][a-z\d+.-]*://#i', $path);
    }

    /**
@@ -1822,12 +1824,15 @@ class PHPMailer
     */
    protected static function fileIsAccessible($path)
    {
+        if (!static::isPermittedPath($path)) {
+            return false;
+        }
        $readable = file_exists($path);
        //If not a UNC path (expected to start with \\), check read permission, see #2069
        if (strpos($path, '\\\\') !== 0) {
            $readable = $readable && is_readable($path);
        }
-        return static::isPermittedPath($path) && $readable;
+        return  $readable;
    }

    /**
@@ -1876,7 +1881,17 @@ class PHPMailer
        if ($this->SingleTo && count($toArr) > 1) {
            foreach ($toArr as $toAddr) {
                $result = $this->mailPassthru($toAddr, $this->Subject, $body, $header, $params);
-                $this->doCallback($result, [$toAddr], $this->cc, $this->bcc, $this->Subject, $body, $this->From, []);
+                $addrinfo = static::parseAddresses($toAddr);
+                $this->doCallback(
+                    $result,
+                    [[$addrinfo['address'], $addrinfo['name']]],
+                    $this->cc,
+                    $this->bcc,
+                    $this->Subject,
+                    $body,
+                    $this->From,
+                    []
+                );
            }
        } else {
            $result = $this->mailPassthru($to, $this->Subject, $body, $header, $params);
@@ -1965,7 +1980,7 @@ class PHPMailer
                    $isSent = true;
                }

-                $callbacks[] = ['issent' => $isSent, 'to' => $to[0]];
+                $callbacks[] = ['issent' => $isSent, 'to' => $to[0], 'name' => $to[1]];
            }
        }

@@ -1986,7 +2001,7 @@ class PHPMailer
        foreach ($callbacks as $cb) {
            $this->doCallback(
                $cb['issent'],
-                [$cb['to']],
+                [[$cb['to'], $cb['name']]],
                [],
                [],
                $this->Subject,
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/src/POP3.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/src/POP3.php
@@ -46,7 +46,7 @@ class POP3
     *
     * @var string
     */
-    const VERSION = '6.4.0';
+    const VERSION = '6.4.1';

    /**
     * Default POP3 port number.
--- a/data/web/inc/lib/vendor/phpmailer/phpmailer/src/SMTP.php
+++ b/data/web/inc/lib/vendor/phpmailer/phpmailer/src/SMTP.php
@@ -35,7 +35,7 @@ class SMTP
     *
     * @var string
     */
-    const VERSION = '6.4.0';
+    const VERSION = '6.4.1';

    /**
     * SMTP line break constant.
@@ -1 +1 @@
 .4.0
 .4.1