Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixing minor security issue, potential XSS if debug output is activated. Composer: - Updating phpmailer/phpmailer (v5.2.25 => v5.2.26) Fixes #23830
- Loading branch information
c883b83
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dregad
I had this also on my todo list, but my plan was to change composer.json to
and run
composer update
after it to update composer.lock.I though this would be the better way to make a clear statement that MantisBT should not be used with any older version of phpmailer than 5.2.16, especially as this is a security related version requirement.
c883b83
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason I did not do as you suggest, is because the fixes included in releases 5.2.23 and later (including the security ones), are technically not affecting us (in an out-of-the-box configuration), so a simple
composer install
will already pick up the latest 5.2.26 version with this commit.That being said, I don't have a strong objection against such change.