Skip to content

@Synchro Synchro released this Nov 1, 2015 · 958 commits to master since this release

This release contains an important security update.

Security update

Takeshi Terada discovered that PHPMailer accepted addresses containing line breaks. This is valid in RFC5322, but allowing such addresses resulted in invalid RFC5321 SMTP commands, permitting a kind of message injection attack. These addresses were allowed by the 'pcre8' validator pattern (the default in recent PHP versions). This has been mitigated by rejecting line breaks during address validation, and also by rejecting line breaks in SMTP commands, which addresses the problem for applications using the SMTP class directly.

Internationalized domain names

In better news, this release also introduces support for internationalized domain names (IDNs) thanks to @fbonzon. A significant effect of this is that the point at which addresses are validated may change; since an IDN may depend on the current value of CharSet (which can be changed at any time), validations of addresses potentially containing IDNs are queued and not actually checked until send() is called rather than when the address is added. You may now use addresses like test@franç and pre-punycoded addreses like everywhere that addresses are used in PHPMailer.


There is now better access to POP3 errors (when using POP-before-SMTP), and can now access POP3 properties and methods from subclasses.

Updated Russian and Brazilian Portuguese translations.

Assets 2
You can’t perform that action at this time.