diff --git a/README.md b/README.md
index 3a28490..fb190ec 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@ Based on [http://silverstripe.org/smtpmailer-module/](http://silverstripe.org/sm
## Description
**silverstripe-smtp** automatically sends emails (e.g. from UserForms) to your provider's or host's SMTP server instead of using PHP's built-in ``mail()`` function.
-**silverstripe-smtp** replaces the classic SilverStripe Mailer (using the ``mail()`` function) with PHPMailer 5.2.28 ([https://github.com/PHPMailer/PHPMailer](https://github.com/PHPMailer/PHPMailer), was [http://sourceforge.net/projects/phpmailer/](http://sourceforge.net/projects/phpmailer/)) to send emails via the SMTP protocol to a local or remote SMTP server.
+**silverstripe-smtp** replaces the classic SilverStripe Mailer (using the ``mail()`` function) with PHPMailer 5.2.22 ([https://github.com/PHPMailer/PHPMailer](https://github.com/PHPMailer/PHPMailer), was [http://sourceforge.net/projects/phpmailer/](http://sourceforge.net/projects/phpmailer/)) to send emails via the SMTP protocol to a local or remote SMTP server.
When would you use this module:
diff --git a/code/vendor/class.phpmailer.php b/code/vendor/class.phpmailer.php
index 8ff13f1..477ee82 100755
--- a/code/vendor/class.phpmailer.php
+++ b/code/vendor/class.phpmailer.php
@@ -31,7 +31,7 @@ class PHPMailer
* The PHPMailer Version number.
* @var string
*/
- public $Version = '5.2.21';
+ public $Version = '5.2.22';
/**
* Email priority.
@@ -2492,6 +2492,7 @@ public function textLine($value)
/**
* Add an attachment from a path on the filesystem.
+ * Never use a user-supplied path to a file!
* Returns false if the file could not be found or read.
* @param string $path Path to the attachment.
* @param string $name Overrides the attachment name.
@@ -3017,6 +3018,7 @@ public function addStringAttachment(
* displayed inline with the message, not just attached for download.
* This is used in HTML messages that embed the images
* the HTML refers to using the $cid value.
+ * Never use a user-supplied path to a file!
* @param string $path Path to the attachment.
* @param string $cid Content ID of the attachment; Use this to reference
* the content when using an embedded image in HTML.
@@ -3380,12 +3382,14 @@ public function getCustomHeaders()
* Create a message body from an HTML string.
* Automatically inlines images and creates a plain-text version by converting the HTML,
* overwriting any existing values in Body and AltBody.
- * $basedir is used when handling relative image paths, e.g.
+ * Do not source $message content from user input!
+ * $basedir is prepended when handling relative URLs, e.g. and must not be empty
* will look for an image file in $basedir/images/a.png and convert it to inline.
- * If you don't want to apply these transformations to your HTML, just set Body and AltBody yourself.
+ * If you don't provide a $basedir, relative paths will be left untouched (and thus probably break in email)
+ * If you don't want to apply these transformations to your HTML, just set Body and AltBody directly.
* @access public
* @param string $message HTML message string
- * @param string $basedir base directory for relative paths to images
+ * @param string $basedir Absolute path to a base directory to prepend to relative paths to images
* @param boolean|callable $advanced Whether to use the internal HTML to text converter
* or your own custom converter @see PHPMailer::html2text()
* @return string $message The transformed message Body
@@ -3394,6 +3398,10 @@ public function msgHTML($message, $basedir = '', $advanced = false)
{
preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images);
if (array_key_exists(2, $images)) {
+ if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
+ // Ensure $basedir has a trailing /
+ $basedir .= '/';
+ }
foreach ($images[2] as $imgindex => $url) {
// Convert data URIs into embedded images
if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) {
@@ -3411,18 +3419,24 @@ public function msgHTML($message, $basedir = '', $advanced = false)
$message
);
}
- } elseif (substr($url, 0, 4) !== 'cid:' && !preg_match('#^[a-z][a-z0-9+.-]*://#i', $url)) {
- // Do not change urls for absolute images (thanks to corvuscorax)
+ continue;
+ }
+ if (
+ // Only process relative URLs if a basedir is provided (i.e. no absolute local paths)
+ !empty($basedir)
+ // Ignore URLs containing parent dir traversal (..)
+ && (strpos($url, '..') === false)
// Do not change urls that are already inline images
+ && substr($url, 0, 4) !== 'cid:'
+ // Do not change absolute URLs, including anonymous protocol
+ && !preg_match('#^[a-z][a-z0-9+.-]*:?//#i', $url)
+ ) {
$filename = basename($url);
$directory = dirname($url);
if ($directory == '.') {
$directory = '';
}
$cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2
- if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
- $basedir .= '/';
- }
if (strlen($directory) > 1 && substr($directory, -1) != '/') {
$directory .= '/';
}
diff --git a/code/vendor/class.smtp.php b/code/vendor/class.smtp.php
index 270162b..8932117 100755
--- a/code/vendor/class.smtp.php
+++ b/code/vendor/class.smtp.php
@@ -30,7 +30,7 @@ class SMTP
* The PHPMailer SMTP version number.
* @var string
*/
- const VERSION = '5.2.21';
+ const VERSION = '5.2.22';
/**
* SMTP line break constant.
@@ -81,7 +81,7 @@ class SMTP
* @deprecated Use the `VERSION` constant instead
* @see SMTP::VERSION
*/
- public $Version = '5.2.21';
+ public $Version = '5.2.22';
/**
* SMTP server port number.