This release contains an important security update.
Takeshi Terada discovered that PHPMailer accepted addresses containing line breaks. This is valid in RFC5322, but allowing such addresses resulted in invalid RFC5321 SMTP commands, permitting a kind of message injection attack. These addresses were allowed by the 'pcre8' validator pattern (the default in recent PHP versions). This has been mitigated by rejecting line breaks during address validation, and also by rejecting line breaks in SMTP commands, which addresses the problem for applications using the SMTP class directly.
Internationalized domain names
In better news, this release also introduces support for internationalized domain names (IDNs) thanks to @fbonzon. A significant effect of this is that the point at which addresses are validated may change; since an IDN may depend on the current value of
CharSet (which can be changed at any time), validations of addresses potentially containing IDNs are queued and not actually checked until
send() is called rather than when the address is added. You may now use addresses like
test@françois.ch and pre-punycoded addreses like
email@example.com everywhere that addresses are used in PHPMailer.
There is now better access to POP3 errors (when using POP-before-SMTP), and can now access POP3 properties and methods from subclasses.
Updated Russian and Brazilian Portuguese translations.