diff --git a/src/wp-includes/PHPMailer/PHPMailer.php b/src/wp-includes/PHPMailer/PHPMailer.php index 25818104e0..5618251950 100644 --- a/src/wp-includes/PHPMailer/PHPMailer.php +++ b/src/wp-includes/PHPMailer/PHPMailer.php @@ -428,9 +428,11 @@ class PHPMailer public $Debugoutput = 'echo'; /** - * Whether to keep SMTP connection open after each message. - * If this is set to true then to close the connection - * requires an explicit call to smtpClose(). + * Whether to keep the SMTP connection open after each message. + * If this is set to true then the connection will remain open after a send, + * and closing the connection will require an explicit call to smtpClose(). + * It's a good idea to use this if you are sending multiple messages as it reduces overhead. + * See the mailing list example for how to use it. * * @var bool */ @@ -748,7 +750,7 @@ class PHPMailer * * @var string */ - const VERSION = '6.4.1'; + const VERSION = '6.5.0'; /** * Error severity: message only, continue processing. @@ -1335,7 +1337,8 @@ class PHPMailer if (null === $patternselect) { $patternselect = static::$validator; } - if (is_callable($patternselect)) { + //Don't allow strings as callables, see SECURITY.md and CVE-2021-3603 + if (is_callable($patternselect) && !is_string($patternselect)) { return call_user_func($patternselect, $address); } //Reject line breaks in addresses; it's valid RFC5322, but not RFC5321 @@ -2184,7 +2187,8 @@ class PHPMailer * The default language is English. * * @param string $langcode ISO 639-1 2-character language code (e.g. French is "fr") - * @param string $lang_path Path to the language file directory, with trailing separator (slash) + * @param string $lang_path Path to the language file directory, with trailing separator (slash).D + * Do not set this from user input! * * @return bool */ @@ -2246,14 +2250,32 @@ class PHPMailer if (!static::fileIsAccessible($lang_file)) { $foundlang = false; } else { - //Overwrite language-specific strings. - //This way we'll never have missing translation keys. - $foundlang = include $lang_file; + //$foundlang = include $lang_file; + $lines = file($lang_file); + foreach ($lines as $line) { + //Translation file lines look like this: + //$PHPMAILER_LANG['authenticate'] = 'SMTP-Fehler: Authentifizierung fehlgeschlagen.'; + //These files are parsed as text and not PHP so as to avoid the possibility of code injection + //See https://blog.stevenlevithan.com/archives/match-quoted-string + $matches = []; + if ( + preg_match( + '/^\$PHPMAILER_LANG\[\'([a-z\d_]+)\'\]\s*=\s*(["\'])(.+)*?\2;/', + $line, + $matches + ) && + //Ignore unknown translation keys + array_key_exists($matches[1], $PHPMAILER_LANG) + ) { + //Overwrite language-specific strings so we'll never have missing translation keys. + $PHPMAILER_LANG[$matches[1]] = (string)$matches[3]; + } + } } } $this->language = $PHPMAILER_LANG; - return (bool) $foundlang; //Returns false if language not found + return $foundlang; //Returns false if language not found } /** diff --git a/src/wp-includes/PHPMailer/SMTP.php b/src/wp-includes/PHPMailer/SMTP.php index 0e7f53df50..a4a91ed0dc 100644 --- a/src/wp-includes/PHPMailer/SMTP.php +++ b/src/wp-includes/PHPMailer/SMTP.php @@ -35,7 +35,7 @@ class SMTP * * @var string */ - const VERSION = '6.4.1'; + const VERSION = '6.5.0'; /** * SMTP line break constant. @@ -186,6 +186,7 @@ class SMTP 'Amazon_SES' => '/[\d]{3} Ok (.*)/', 'SendGrid' => '/[\d]{3} Ok: queued as (.*)/', 'CampaignMonitor' => '/[\d]{3} 2.0.0 OK:([a-zA-Z\d]{48})/', + 'Haraka' => '/[\d]{3} Message Queued \((.*)\)/', ]; /**