Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
64 changed files
with
8,737 additions
and
8,444 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
GPL Cooperation Commitment | ||
Version 1.0 | ||
|
||
Before filing or continuing to prosecute any legal proceeding or claim | ||
(other than a Defensive Action) arising from termination of a Covered | ||
License, we commit to extend to the person or entity ('you') accused | ||
of violating the Covered License the following provisions regarding | ||
cure and reinstatement, taken from GPL version 3. As used here, the | ||
term 'this License' refers to the specific Covered License being | ||
enforced. | ||
|
||
However, if you cease all violation of this License, then your | ||
license from a particular copyright holder is reinstated (a) | ||
provisionally, unless and until the copyright holder explicitly | ||
and finally terminates your license, and (b) permanently, if the | ||
copyright holder fails to notify you of the violation by some | ||
reasonable means prior to 60 days after the cessation. | ||
|
||
Moreover, your license from a particular copyright holder is | ||
reinstated permanently if the copyright holder notifies you of the | ||
violation by some reasonable means, this is the first time you | ||
have received notice of violation of this License (for any work) | ||
from that copyright holder, and you cure the violation prior to 30 | ||
days after your receipt of the notice. | ||
|
||
We intend this Commitment to be irrevocable, and binding and | ||
enforceable against us and assignees of or successors to our | ||
copyrights. | ||
|
||
Definitions | ||
|
||
'Covered License' means the GNU General Public License, version 2 | ||
(GPLv2), the GNU Lesser General Public License, version 2.1 | ||
(LGPLv2.1), or the GNU Library General Public License, version 2 | ||
(LGPLv2), all as published by the Free Software Foundation. | ||
|
||
'Defensive Action' means a legal proceeding or claim that We bring | ||
against you in response to a prior proceeding or claim initiated by | ||
you or your affiliate. | ||
|
||
'We' means each contributor to this repository as of the date of | ||
inclusion of this file, including subsidiaries of a corporate | ||
contributor. | ||
|
||
This work is available under a Creative Commons Attribution-ShareAlike | ||
4.0 International license (https://creativecommons.org/licenses/by-sa/4.0/). |
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,26 +1,28 @@ | ||
# Security notices relating to PHPMailer | ||
|
||
Please disclose any vulnerabilities found responsibly - report any security problems found to the maintainers privately. | ||
|
||
PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project. | ||
|
||
PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file disclosure vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5223). If content passed into `msgHTML()` is sourced from unfiltered user input, relative paths can map to absolute local file paths and added as attachments. Also note that `addAttachment` (just like `file_get_contents`, `passthru`, `unlink`, etc) should not be passed user-sourced params either! Reported by Yongxiang Li of Asiasecurity. | ||
|
||
PHPMailer versions prior to 5.2.20 (released December 28th 2016) are vulnerable to [CVE-2016-10045](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10045) a remote code execution vulnerability, responsibly reported by [Dawid Golunski](https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html), and patched by Paul Buonopane (@Zenexer). | ||
|
||
PHPMailer versions prior to 5.2.18 (released December 2016) are vulnerable to [CVE-2016-10033](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10033) a remote code execution vulnerability, responsibly reported by [Dawid Golunski](http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html). | ||
|
||
PHPMailer versions prior to 5.2.14 (released November 2015) are vulnerable to [CVE-2015-8476](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8476) an SMTP CRLF injection bug permitting arbitrary message sending. | ||
|
||
PHPMailer versions prior to 5.2.10 (released May 2015) are vulnerable to [CVE-2008-5619](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5619), a remote code execution vulnerability in the bundled html2text library. This file was removed in 5.2.10, so if you are using a version prior to that and make use of the html2text function, it's vitally important that you upgrade and remove this file. | ||
|
||
PHPMailer versions prior to 2.0.7 and 2.2.1 are vulnerable to [CVE-2012-0796](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0796), an email header injection attack. | ||
|
||
Joomla 1.6.0 uses PHPMailer in an unsafe way, allowing it to reveal local file paths, reported in [CVE-2011-3747](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3747). | ||
|
||
PHPMailer didn't sanitise the `$lang_path` parameter in `SetLanguage`. This wasn't a problem in itself, but some apps (PHPClassifieds, ATutor) also failed to sanitise user-provided parameters passed to it, permitting semi-arbitrary local file inclusion, reported in [CVE-2010-4914](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4914), [CVE-2007-2021](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2021) and [CVE-2006-5734](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5734). | ||
|
||
PHPMailer 1.7.2 and earlier contained a possible DDoS vulnerability reported in [CVE-2005-1807](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1807). | ||
|
||
PHPMailer 1.7 and earlier (June 2003) have a possible vulnerability in the `SendmailSend` method where shell commands may not be sanitised. Reported in [CVE-2007-3215](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3215). | ||
|
||
# Security notices relating to PHPMailer | ||
|
||
Please disclose any vulnerabilities found responsibly - report any security problems found to the maintainers privately. | ||
|
||
PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing `phar://` paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded as [CVE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296). See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Sehun Oh of cyberone.kr. | ||
|
||
PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through composer, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project. | ||
|
||
PHPMailer versions prior to 5.2.22 (released January 9th 2017) have a local file disclosure vulnerability, [CVE-2017-5223](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5223). If content passed into `msgHTML()` is sourced from unfiltered user input, relative paths can map to absolute local file paths and added as attachments. Also note that `addAttachment` (just like `file_get_contents`, `passthru`, `unlink`, etc) should not be passed user-sourced params either! Reported by Yongxiang Li of Asiasecurity. | ||
|
||
PHPMailer versions prior to 5.2.20 (released December 28th 2016) are vulnerable to [CVE-2016-10045](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10045) a remote code execution vulnerability, responsibly reported by [Dawid Golunski](https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html), and patched by Paul Buonopane (@Zenexer). | ||
|
||
PHPMailer versions prior to 5.2.18 (released December 2016) are vulnerable to [CVE-2016-10033](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10033) a remote code execution vulnerability, responsibly reported by [Dawid Golunski](http://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html). | ||
|
||
PHPMailer versions prior to 5.2.14 (released November 2015) are vulnerable to [CVE-2015-8476](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8476) an SMTP CRLF injection bug permitting arbitrary message sending. | ||
|
||
PHPMailer versions prior to 5.2.10 (released May 2015) are vulnerable to [CVE-2008-5619](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5619), a remote code execution vulnerability in the bundled html2text library. This file was removed in 5.2.10, so if you are using a version prior to that and make use of the html2text function, it's vitally important that you upgrade and remove this file. | ||
|
||
PHPMailer versions prior to 2.0.7 and 2.2.1 are vulnerable to [CVE-2012-0796](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0796), an email header injection attack. | ||
|
||
Joomla 1.6.0 uses PHPMailer in an unsafe way, allowing it to reveal local file paths, reported in [CVE-2011-3747](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3747). | ||
|
||
PHPMailer didn't sanitise the `$lang_path` parameter in `SetLanguage`. This wasn't a problem in itself, but some apps (PHPClassifieds, ATutor) also failed to sanitise user-provided parameters passed to it, permitting semi-arbitrary local file inclusion, reported in [CVE-2010-4914](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4914), [CVE-2007-2021](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2021) and [CVE-2006-5734](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-5734). | ||
|
||
PHPMailer 1.7.2 and earlier contained a possible DDoS vulnerability reported in [CVE-2005-1807](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1807). | ||
|
||
PHPMailer 1.7 and earlier (June 2003) have a possible vulnerability in the `SendmailSend` method where shell commands may not be sanitised. Reported in [CVE-2007-3215](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3215). | ||
|
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
6.0.3 | ||
6.0.7 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
{ | ||
"name": "phpmailer/phpmailer", | ||
"type": "library", | ||
"description": "PHPMailer is a full-featured email creation and transfer class for PHP", | ||
"authors": [ | ||
{ | ||
"name": "Marcus Bointon", | ||
"email": "phpmailer@synchromedia.co.uk" | ||
}, | ||
{ | ||
"name": "Jim Jagielski", | ||
"email": "jimjag@gmail.com" | ||
}, | ||
{ | ||
"name": "Andy Prevost", | ||
"email": "codeworxtech@users.sourceforge.net" | ||
}, | ||
{ | ||
"name": "Brent R. Matzelle" | ||
} | ||
], | ||
"require": { | ||
"php": ">=5.5.0", | ||
"ext-ctype": "*", | ||
"ext-filter": "*" | ||
}, | ||
"require-dev": { | ||
"friendsofphp/php-cs-fixer": "^2.2", | ||
"phpdocumentor/phpdocumentor": "2.*", | ||
"phpunit/phpunit": "^4.8 || ^5.7", | ||
"zendframework/zend-serializer": "2.7.*", | ||
"doctrine/annotations": "1.2.*", | ||
"zendframework/zend-eventmanager": "3.0.*", | ||
"zendframework/zend-i18n": "2.7.3" | ||
}, | ||
"suggest": { | ||
"psr/log": "For optional PSR-3 debug logging", | ||
"league/oauth2-google": "Needed for Google XOAUTH2 authentication", | ||
"hayageek/oauth2-yahoo": "Needed for Yahoo XOAUTH2 authentication", | ||
"stevenmaguire/oauth2-microsoft": "Needed for Microsoft XOAUTH2 authentication", | ||
"ext-mbstring": "Needed to send email in multibyte encoding charset", | ||
"symfony/polyfill-mbstring": "To support UTF-8 if the Mbstring PHP extension is not enabled (^1.2)" | ||
}, | ||
"autoload": { | ||
"psr-4": { | ||
"PHPMailer\\PHPMailer\\": "src/" | ||
} | ||
}, | ||
"autoload-dev": { | ||
"psr-4": { | ||
"PHPMailer\\Test\\": "test/" | ||
} | ||
}, | ||
"license": "LGPL-2.1" | ||
} |
Oops, something went wrong.