Gmail SMTP - Version 1.1.1

Version Description

  • Updated the PHPMailer library to version 5.2.22. This release contains a critical security fix for CVE-2017-5223.
Download this release

Release Info

Developer naa986
Plugin Icon 128x128 Gmail SMTP
Version 1.1.1
Comparing to
See all releases

Code changes from version 1.1.0 to 1.1.1

Files changed (5) hide show
  1. PHPMailer/class.phpmailer.php +23 -9
  2. PHPMailer/class.pop3.php +1 -1
  3. PHPMailer/class.smtp.php +2 -2
  4. main.php +3 -3
  5. readme.txt +4 -1
PHPMailer/class.phpmailer.php CHANGED
@@ -31,7 +31,7 @@ class PHPMailer
31
  * The PHPMailer Version number.
32
  * @var string
33
  */
34
- public $Version = '5.2.21';
35
 
36
  /**
37
  * Email priority.
@@ -2492,6 +2492,7 @@ class PHPMailer
2492
 
2493
  /**
2494
  * Add an attachment from a path on the filesystem.
 
2495
  * Returns false if the file could not be found or read.
2496
  * @param string $path Path to the attachment.
2497
  * @param string $name Overrides the attachment name.
@@ -3017,6 +3018,7 @@ class PHPMailer
3017
  * displayed inline with the message, not just attached for download.
3018
  * This is used in HTML messages that embed the images
3019
  * the HTML refers to using the $cid value.
 
3020
  * @param string $path Path to the attachment.
3021
  * @param string $cid Content ID of the attachment; Use this to reference
3022
  * the content when using an embedded image in HTML.
@@ -3380,12 +3382,14 @@ class PHPMailer
3380
  * Create a message body from an HTML string.
3381
  * Automatically inlines images and creates a plain-text version by converting the HTML,
3382
  * overwriting any existing values in Body and AltBody.
3383
- * $basedir is used when handling relative image paths, e.g. <img src="images/a.png">
 
3384
  * will look for an image file in $basedir/images/a.png and convert it to inline.
3385
- * If you don't want to apply these transformations to your HTML, just set Body and AltBody yourself.
 
3386
  * @access public
3387
  * @param string $message HTML message string
3388
- * @param string $basedir base directory for relative paths to images
3389
  * @param boolean|callable $advanced Whether to use the internal HTML to text converter
3390
  * or your own custom converter @see PHPMailer::html2text()
3391
  * @return string $message The transformed message Body
@@ -3394,6 +3398,10 @@ class PHPMailer
3394
  {
3395
  preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images);
3396
  if (array_key_exists(2, $images)) {
 
 
 
 
3397
  foreach ($images[2] as $imgindex => $url) {
3398
  // Convert data URIs into embedded images
3399
  if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) {
@@ -3411,18 +3419,24 @@ class PHPMailer
3411
  $message
3412
  );
3413
  }
3414
- } elseif (substr($url, 0, 4) !== 'cid:' && !preg_match('#^[a-z][a-z0-9+.-]*://#i', $url)) {
3415
- // Do not change urls for absolute images (thanks to corvuscorax)
 
 
 
 
 
3416
  // Do not change urls that are already inline images
 
 
 
 
3417
  $filename = basename($url);
3418
  $directory = dirname($url);
3419
  if ($directory == '.') {
3420
  $directory = '';
3421
  }
3422
  $cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2
3423
- if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
3424
- $basedir .= '/';
3425
- }
3426
  if (strlen($directory) > 1 && substr($directory, -1) != '/') {
3427
  $directory .= '/';
3428
  }
31
  * The PHPMailer Version number.
32
  * @var string
33
  */
34
+ public $Version = '5.2.22';
35
 
36
  /**
37
  * Email priority.
2492
 
2493
  /**
2494
  * Add an attachment from a path on the filesystem.
2495
+ * Never use a user-supplied path to a file!
2496
  * Returns false if the file could not be found or read.
2497
  * @param string $path Path to the attachment.
2498
  * @param string $name Overrides the attachment name.
3018
  * displayed inline with the message, not just attached for download.
3019
  * This is used in HTML messages that embed the images
3020
  * the HTML refers to using the $cid value.
3021
+ * Never use a user-supplied path to a file!
3022
  * @param string $path Path to the attachment.
3023
  * @param string $cid Content ID of the attachment; Use this to reference
3024
  * the content when using an embedded image in HTML.
3382
  * Create a message body from an HTML string.
3383
  * Automatically inlines images and creates a plain-text version by converting the HTML,
3384
  * overwriting any existing values in Body and AltBody.
3385
+ * Do not source $message content from user input!
3386
+ * $basedir is prepended when handling relative URLs, e.g. <img src="/images/a.png"> and must not be empty
3387
  * will look for an image file in $basedir/images/a.png and convert it to inline.
3388
+ * If you don't provide a $basedir, relative paths will be left untouched (and thus probably break in email)
3389
+ * If you don't want to apply these transformations to your HTML, just set Body and AltBody directly.
3390
  * @access public
3391
  * @param string $message HTML message string
3392
+ * @param string $basedir Absolute path to a base directory to prepend to relative paths to images
3393
  * @param boolean|callable $advanced Whether to use the internal HTML to text converter
3394
  * or your own custom converter @see PHPMailer::html2text()
3395
  * @return string $message The transformed message Body
3398
  {
3399
  preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images);
3400
  if (array_key_exists(2, $images)) {
3401
+ if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
3402
+ // Ensure $basedir has a trailing /
3403
+ $basedir .= '/';
3404
+ }
3405
  foreach ($images[2] as $imgindex => $url) {
3406
  // Convert data URIs into embedded images
3407
  if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) {
3419
  $message
3420
  );
3421
  }
3422
+ continue;
3423
+ }
3424
+ if (
3425
+ // Only process relative URLs if a basedir is provided (i.e. no absolute local paths)
3426
+ !empty($basedir)
3427
+ // Ignore URLs containing parent dir traversal (..)
3428
+ && (strpos($url, '..') === false)
3429
  // Do not change urls that are already inline images
3430
+ && substr($url, 0, 4) !== 'cid:'
3431
+ // Do not change absolute URLs, including anonymous protocol
3432
+ && !preg_match('#^[a-z][a-z0-9+.-]*:?//#i', $url)
3433
+ ) {
3434
  $filename = basename($url);
3435
  $directory = dirname($url);
3436
  if ($directory == '.') {
3437
  $directory = '';
3438
  }
3439
  $cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2
 
 
 
3440
  if (strlen($directory) > 1 && substr($directory, -1) != '/') {
3441
  $directory .= '/';
3442
  }
PHPMailer/class.pop3.php CHANGED
@@ -34,7 +34,7 @@ class POP3
34
  * @var string
35
  * @access public
36
  */
37
- public $Version = '5.2.21';
38
 
39
  /**
40
  * Default POP3 port number.
34
  * @var string
35
  * @access public
36
  */
37
+ public $Version = '5.2.22';
38
 
39
  /**
40
  * Default POP3 port number.
PHPMailer/class.smtp.php CHANGED
@@ -30,7 +30,7 @@ class SMTP
30
  * The PHPMailer SMTP version number.
31
  * @var string
32
  */
33
- const VERSION = '5.2.21';
34
 
35
  /**
36
  * SMTP line break constant.
@@ -81,7 +81,7 @@ class SMTP
81
  * @deprecated Use the `VERSION` constant instead
82
  * @see SMTP::VERSION
83
  */
84
- public $Version = '5.2.21';
85
 
86
  /**
87
  * SMTP server port number.
30
  * The PHPMailer SMTP version number.
31
  * @var string
32
  */
33
+ const VERSION = '5.2.22';
34
 
35
  /**
36
  * SMTP line break constant.
81
  * @deprecated Use the `VERSION` constant instead
82
  * @see SMTP::VERSION
83
  */
84
+ public $Version = '5.2.22';
85
 
86
  /**
87
  * SMTP server port number.
main.php CHANGED
@@ -1,7 +1,7 @@
1
  <?php
2
  /*
3
  Plugin Name: Gmail SMTP
4
- Version: 1.1.0
5
  Plugin URI: http://wphowto.net/
6
  Author: naa986
7
  Author URI: http://wphowto.net/
@@ -16,8 +16,8 @@ if (!defined('ABSPATH')){
16
 
17
  class GMAIL_SMTP {
18
 
19
- var $plugin_version = '1.1.0';
20
- var $phpmailer_version = '5.2.21';
21
  var $plugin_url;
22
  var $plugin_path;
23
 
1
  <?php
2
  /*
3
  Plugin Name: Gmail SMTP
4
+ Version: 1.1.1
5
  Plugin URI: http://wphowto.net/
6
  Author: naa986
7
  Author URI: http://wphowto.net/
16
 
17
  class GMAIL_SMTP {
18
 
19
+ var $plugin_version = '1.1.1';
20
+ var $phpmailer_version = '5.2.22';
21
  var $plugin_url;
22
  var $plugin_path;
23
 
readme.txt CHANGED
@@ -4,7 +4,7 @@ Donate link: https://wphowto.net/
4
  Tags: smtp, gmail, mail, mailer, phpmailer, wp_mail, email, oauth2
5
  Requires at least: 4.7
6
  Tested up to: 4.7
7
- Stable tag: 1.1.0
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
@@ -102,6 +102,9 @@ none
102
 
103
  == Changelog ==
104
 
 
 
 
105
  = 1.1.0 =
106
  * Updated the PHPMailer library to version 5.2.21. This release contains a critical security update for CVE-2016-10045 that was fixed in PHPMailer 5.2.20.
107
 
4
  Tags: smtp, gmail, mail, mailer, phpmailer, wp_mail, email, oauth2
5
  Requires at least: 4.7
6
  Tested up to: 4.7
7
+ Stable tag: 1.1.1
8
  License: GPLv2 or later
9
  License URI: http://www.gnu.org/licenses/gpl-2.0.html
10
 
102
 
103
  == Changelog ==
104
 
105
+ = 1.1.1 =
106
+ * Updated the PHPMailer library to version 5.2.22. This release contains a critical security fix for CVE-2017-5223.
107
+
108
  = 1.1.0 =
109
  * Updated the PHPMailer library to version 5.2.21. This release contains a critical security update for CVE-2016-10045 that was fixed in PHPMailer 5.2.20.
110