Gmail SMTP - Version 1.1.0

Version Description

Updated the PHPMailer library to version 5.2.21. This release contains a critical security update for CVE-2016-10045 that was fixed in PHPMailer 5.2.20.

Release Info

Developer	naa986
Plugin	Gmail SMTP
Version	1.1.0
Comparing to
See all releases

Code changes from version 1.0.9 to 1.1.0

Files changed (5) hide show

PHPMailer/class.phpmailer.php +49 -7
PHPMailer/class.pop3.php +1 -1
PHPMailer/class.smtp.php +2 -2
main.php +3 -3
readme.txt +4 -1

PHPMailer/class.phpmailer.php CHANGED Viewed

	@@ -31,7 +31,7 @@ class PHPMailer
31	* The PHPMailer Version number.
32	* @var string
33	*/
34	- public $Version = '5.2.19';
35
36	/**
37	* Email priority.
	@@ -1364,19 +1364,24 @@ class PHPMailer
1364	*/
1365	protected function sendmailSend($header, $body)
1366	{
1367	- if ~~(!empty($this->Sender))~~ {

1368	if ($this->Mailer == 'qmail') {
1369	- $~~sendmail~~ = ~~sprintf(~~'%s -f%s'~~, escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender))~~;
1370	} else {
1371	- $~~sendmail~~ = ~~sprintf(~~'%s -oi -f%s -t'~~, escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender))~~;
1372	}
1373	} else {
1374	if ($this->Mailer == 'qmail') {
1375	- $~~sendmail~~ = ~~sprintf(~~'%s'~~, escapeshellcmd($this->Sendmail))~~;
1376	} else {
1377	- $~~sendmail~~ = ~~sprintf(~~'%s -oi -t'~~, escapeshellcmd($this->Sendmail))~~;
1378	}
1379	}




1380	if ($this->SingleTo) {
1381	foreach ($this->SingleToArray as $toAddr) {
1382	if (!@$mail = popen($sendmail, 'w')) {
	@@ -1422,6 +1427,40 @@ class PHPMailer
1422	return true;
1423	}
1424


































1425	/**
1426	* Send mail using the PHP mail() function.
1427	* @param string $header The message headers
	@@ -1442,7 +1481,10 @@ class PHPMailer
1442	$params = null;
1443	//This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
1444	if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
1445	- ~~$params~~ = ~~sprintf(~~'-f~~%s',~~ ~~escapeshellarg($this->Sender));~~



1446	}
1447	if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
1448	$old_from = ini_get('sendmail_from');


31	* The PHPMailer Version number.
32	* @var string
33	*/
34	+ public $Version = '5.2.21';
35
36	/**
37	* Email priority.

1364	*/
1365	protected function sendmailSend($header, $body)
1366	{
1367	+ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
1368	+ if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
1369	if ($this->Mailer == 'qmail') {
1370	+ $sendmailFmt = '%s -f%s';
1371	} else {
1372	+ $sendmailFmt = '%s -oi -f%s -t';
1373	}
1374	} else {
1375	if ($this->Mailer == 'qmail') {
1376	+ $sendmailFmt = '%s';
1377	} else {
1378	+ $sendmailFmt = '%s -oi -t';
1379	}
1380	}
1381	+
1382	+ // TODO: If possible, this should be changed to escapeshellarg. Needs thorough testing.
1383	+ $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
1384	+
1385	if ($this->SingleTo) {
1386	foreach ($this->SingleToArray as $toAddr) {
1387	if (!@$mail = popen($sendmail, 'w')) {

1427	return true;
1428	}
1429
1430	+ /**
1431	+ * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
1432	+ *
1433	+ * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
1434	+ * @param string $string The string to be validated
1435	+ * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
1436	+ * @access protected
1437	+ * @return boolean
1438	+ */
1439	+ protected static function isShellSafe($string)
1440	+ {
1441	+ // Future-proof
1442	+ if (escapeshellcmd($string) !== $string
1443	+ or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))
1444	+ ) {
1445	+ return false;
1446	+ }
1447	+
1448	+ $length = strlen($string);
1449	+
1450	+ for ($i = 0; $i < $length; $i++) {
1451	+ $c = $string[$i];
1452	+
1453	+ // All other characters have a special meaning in at least one common shell, including = and +.
1454	+ // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
1455	+ // Note that this does permit non-Latin alphanumeric characters based on the current locale.
1456	+ if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
1457	+ return false;
1458	+ }
1459	+ }
1460	+
1461	+ return true;
1462	+ }
1463	+
1464	/**
1465	* Send mail using the PHP mail() function.
1466	* @param string $header The message headers

1481	$params = null;
1482	//This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
1483	if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
1484	+ // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
1485	+ if (self::isShellSafe($this->Sender)) {
1486	+ $params = sprintf('-f%s', $this->Sender);
1487	+ }
1488	}
1489	if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
1490	$old_from = ini_get('sendmail_from');

PHPMailer/class.pop3.php CHANGED Viewed

	@@ -34,7 +34,7 @@ class POP3
34	* @var string
35	* @access public
36	*/
37	- public $Version = '5.2.19';
38
39	/**
40	* Default POP3 port number.


34	* @var string
35	* @access public
36	*/
37	+ public $Version = '5.2.21';
38
39	/**
40	* Default POP3 port number.

PHPMailer/class.smtp.php CHANGED Viewed

	@@ -30,7 +30,7 @@ class SMTP
30	* The PHPMailer SMTP version number.
31	* @var string
32	*/
33	- const VERSION = '5.2.19';
34
35	/**
36	* SMTP line break constant.
	@@ -81,7 +81,7 @@ class SMTP
81	* @deprecated Use the `VERSION` constant instead
82	* @see SMTP::VERSION
83	*/
84	- public $Version = '5.2.19';
85
86	/**
87	* SMTP server port number.


30	* The PHPMailer SMTP version number.
31	* @var string
32	*/
33	+ const VERSION = '5.2.21';
34
35	/**
36	* SMTP line break constant.

81	* @deprecated Use the `VERSION` constant instead
82	* @see SMTP::VERSION
83	*/
84	+ public $Version = '5.2.21';
85
86	/**
87	* SMTP server port number.

main.php CHANGED Viewed

	@@ -1,7 +1,7 @@
1	<?php
2	/*
3	Plugin Name: Gmail SMTP
4	- Version: 1.0.9
5	Plugin URI: http://wphowto.net/
6	Author: naa986
7	Author URI: http://wphowto.net/
	@@ -16,8 +16,8 @@ if (!defined('ABSPATH')){
16
17	class GMAIL_SMTP {
18
19	- var $plugin_version = '1.0.9';
20	- var $phpmailer_version = '5.2.19';
21	var $plugin_url;
22	var $plugin_path;
23


1	<?php
2	/*
3	Plugin Name: Gmail SMTP
4	+ Version: 1.1.0
5	Plugin URI: http://wphowto.net/
6	Author: naa986
7	Author URI: http://wphowto.net/

16
17	class GMAIL_SMTP {
18
19	+ var $plugin_version = '1.1.0';
20	+ var $phpmailer_version = '5.2.21';
21	var $plugin_url;
22	var $plugin_path;
23

readme.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Donate link: https://wphowto.net/
4	Tags: smtp, gmail, mail, mailer, phpmailer, wp_mail, email, oauth2
5	Requires at least: 4.7
6	Tested up to: 4.7
7	- Stable tag: 1.0.9
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
	@@ -102,6 +102,9 @@ none
102
103	== Changelog ==
104



105	= 1.0.9 =
106	* Updated the PHPMailer library to the latest version (5.2.19). This release also contains a critical security update for CVE-2016-10033 that was fixed in PHPMailer 5.2.18.
107


4	Tags: smtp, gmail, mail, mailer, phpmailer, wp_mail, email, oauth2
5	Requires at least: 4.7
6	Tested up to: 4.7
7	+ Stable tag: 1.1.0
8	License: GPLv2 or later
9	License URI: http://www.gnu.org/licenses/gpl-2.0.html
10

102
103	== Changelog ==
104
105	+ = 1.1.0 =
106	+ * Updated the PHPMailer library to version 5.2.21. This release contains a critical security update for CVE-2016-10045 that was fixed in PHPMailer 5.2.20.
107	+
108	= 1.0.9 =
109	* Updated the PHPMailer library to the latest version (5.2.19). This release also contains a critical security update for CVE-2016-10033 that was fixed in PHPMailer 5.2.18.
110