git subrepo pull (merge) mailcow/src/mailcow-dockerized
Among other things, this updates Dovecot to 2.3.13, which is a
critical security update.
subrepo: subdir: "mailcow/src/mailcow-dockerized"
merged: "376574d9"
upstream: origin: "https://github.com/mailcow/mailcow-dockerized.git"
branch: "master"
commit: "6f14955b"
git-subrepo: version: "0.4.3"
origin: "???"
commit: "???"
Change-Id: Idf4859ddaaebf6997afbb0cebffc8bf3f5b902a0
diff --git a/mailcow/src/mailcow-dockerized/data/web/inc/lib/vendor/phpmailer/phpmailer/src/PHPMailer.php b/mailcow/src/mailcow-dockerized/data/web/inc/lib/vendor/phpmailer/phpmailer/src/PHPMailer.php
index ed14d7c..c8fc1a8 100644
--- a/mailcow/src/mailcow-dockerized/data/web/inc/lib/vendor/phpmailer/phpmailer/src/PHPMailer.php
+++ b/mailcow/src/mailcow-dockerized/data/web/inc/lib/vendor/phpmailer/phpmailer/src/PHPMailer.php
@@ -1,4 +1,5 @@
<?php
+
/**
* PHPMailer - PHP email creation and transport class.
* PHP Version 5.5.
@@ -9,7 +10,7 @@
* @author Jim Jagielski (jimjag) <jimjag@gmail.com>
* @author Andy Prevost (codeworxtech) <codeworxtech@users.sourceforge.net>
* @author Brent R. Matzelle (original founder)
- * @copyright 2012 - 2019 Marcus Bointon
+ * @copyright 2012 - 2020 Marcus Bointon
* @copyright 2010 - 2012 Jim Jagielski
* @copyright 2004 - 2009 Andy Prevost
* @license http://www.gnu.org/copyleft/lesser.html GNU Lesser General Public License
@@ -388,11 +389,11 @@
* SMTP class debug output mode.
* Debug output level.
* Options:
- * * SMTP::DEBUG_OFF: No output
- * * SMTP::DEBUG_CLIENT: Client messages
- * * SMTP::DEBUG_SERVER: Client and server messages
- * * SMTP::DEBUG_CONNECTION: As SERVER plus connection status
- * * SMTP::DEBUG_LOWLEVEL: Noisy, low-level data output, rarely needed
+ * @see SMTP::DEBUG_OFF: No output
+ * @see SMTP::DEBUG_CLIENT: Client messages
+ * @see SMTP::DEBUG_SERVER: Client and server messages
+ * @see SMTP::DEBUG_CONNECTION: As SERVER plus connection status
+ * @see SMTP::DEBUG_LOWLEVEL: Noisy, low-level data output, rarely needed
*
* @see SMTP::$do_debug
*
@@ -441,6 +442,8 @@
* Only supported in `mail` and `sendmail` transports, not in SMTP.
*
* @var bool
+ *
+ * @deprecated 6.0.0 PHPMailer isn't a mailing list manager!
*/
public $SingleTo = false;
@@ -745,7 +748,7 @@
*
* @var string
*/
- const VERSION = '6.1.6';
+ const VERSION = '6.2.0';
/**
* Error severity: message only, continue processing.
@@ -897,6 +900,7 @@
switch ($this->Debugoutput) {
case 'error_log':
//Don't output, just log
+ /** @noinspection ForgottenDebugOutputInspection */
error_log($str);
break;
case 'html':
@@ -1182,9 +1186,11 @@
//Use this built-in parser if it's available
$list = imap_rfc822_parse_adrlist($addrstr, '');
foreach ($list as $address) {
- if (('.SYNTAX-ERROR.' !== $address->host) && static::validateAddress(
- $address->mailbox . '@' . $address->host
- )) {
+ if (
+ ('.SYNTAX-ERROR.' !== $address->host) && static::validateAddress(
+ $address->mailbox . '@' . $address->host
+ )
+ ) {
$addresses[] = [
'name' => (property_exists($address, 'personal') ? $address->personal : ''),
'address' => $address->mailbox . '@' . $address->host,
@@ -1238,7 +1244,8 @@
$name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim
// Don't validate now addresses with IDN. Will be done in send().
$pos = strrpos($address, '@');
- if ((false === $pos)
+ if (
+ (false === $pos)
|| ((!$this->has8bitChars(substr($address, ++$pos)) || !static::idnSupported())
&& !static::validateAddress($address))
) {
@@ -1307,7 +1314,7 @@
$patternselect = static::$validator;
}
if (is_callable($patternselect)) {
- return $patternselect($address);
+ return call_user_func($patternselect, $address);
}
//Reject line breaks in addresses; it's valid RFC5322, but not RFC5321
if (strpos($address, "\n") !== false || strpos($address, "\r") !== false) {
@@ -1348,7 +1355,7 @@
/*
* This is the pattern used in the HTML5 spec for validation of 'email' type form input elements.
*
- * @see http://www.whatwg.org/specs/web-apps/current-work/#e-mail-state-(type=email)
+ * @see https://html.spec.whatwg.org/#e-mail-state-(type=email)
*/
return (bool) preg_match(
'/^[a-zA-Z0-9.!#$%&\'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}' .
@@ -1390,7 +1397,8 @@
{
// Verify we have required functions, CharSet, and at-sign.
$pos = strrpos($address, '@');
- if (!empty($this->CharSet) &&
+ if (
+ !empty($this->CharSet) &&
false !== $pos &&
static::idnSupported()
) {
@@ -1452,8 +1460,9 @@
*/
public function preSend()
{
- if ('smtp' === $this->Mailer
- || ('mail' === $this->Mailer && stripos(PHP_OS, 'WIN') === 0)
+ if (
+ 'smtp' === $this->Mailer
+ || ('mail' === $this->Mailer && (PHP_VERSION_ID >= 80000 || stripos(PHP_OS, 'WIN') === 0))
) {
//SMTP mandates RFC-compliant line endings
//and it's also used with mail() on Windows
@@ -1463,7 +1472,8 @@
static::setLE(PHP_EOL);
}
//Check for buggy PHP versions that add a header with an incorrect line break
- if ('mail' === $this->Mailer
+ if (
+ 'mail' === $this->Mailer
&& ((PHP_VERSION_ID >= 70000 && PHP_VERSION_ID < 70017)
|| (PHP_VERSION_ID >= 70100 && PHP_VERSION_ID < 70103))
&& ini_get('mail.add_x_header') === '1'
@@ -1550,7 +1560,8 @@
}
// Sign with DKIM if enabled
- if (!empty($this->DKIM_domain)
+ if (
+ !empty($this->DKIM_domain)
&& !empty($this->DKIM_selector)
&& (!empty($this->DKIM_private_string)
|| (!empty($this->DKIM_private)
@@ -1607,6 +1618,9 @@
return $this->mailSend($this->MIMEHeader, $this->MIMEBody);
}
} catch (Exception $exc) {
+ if ($this->Mailer === 'smtp' && $this->SMTPKeepAlive == true) {
+ $this->smtp->reset();
+ }
$this->setError($exc->getMessage());
$this->edebug($exc->getMessage());
if ($this->exceptions) {
@@ -1711,7 +1725,8 @@
protected static function isShellSafe($string)
{
// Future-proof
- if (escapeshellcmd($string) !== $string
+ if (
+ escapeshellcmd($string) !== $string
|| !in_array(escapeshellarg($string), ["'$string'", "\"$string\""])
) {
return false;
@@ -1748,6 +1763,23 @@
}
/**
+ * Check whether a file path is safe, accessible, and readable.
+ *
+ * @param string $path A relative or absolute path to a file
+ *
+ * @return bool
+ */
+ protected static function fileIsAccessible($path)
+ {
+ $readable = file_exists($path);
+ //If not a UNC path (expected to start with \\), check read permission, see #2069
+ if (strpos($path, '\\\\') !== 0) {
+ $readable = $readable && is_readable($path);
+ }
+ return static::isPermittedPath($path) && $readable;
+ }
+
+ /**
* Send mail using the PHP mail() function.
*
* @see http://www.php.net/manual/en/book.mail.php
@@ -1878,7 +1910,7 @@
$isSent = true;
}
- $callbacks[] = ['issent'=>$isSent, 'to'=>$to[0]];
+ $callbacks[] = ['issent' => $isSent, 'to' => $to[0]];
}
}
@@ -1958,11 +1990,13 @@
foreach ($hosts as $hostentry) {
$hostinfo = [];
- if (!preg_match(
- '/^(?:(ssl|tls):\/\/)?(.+?)(?::(\d+))?$/',
- trim($hostentry),
- $hostinfo
- )) {
+ if (
+ !preg_match(
+ '/^(?:(ssl|tls):\/\/)?(.+?)(?::(\d+))?$/',
+ trim($hostentry),
+ $hostinfo
+ )
+ ) {
$this->edebug($this->lang('invalid_hostentry') . ' ' . trim($hostentry));
// Not a valid host entry
continue;
@@ -2000,7 +2034,12 @@
}
$host = $hostinfo[2];
$port = $this->Port;
- if (array_key_exists(3, $hostinfo) && is_numeric($hostinfo[3]) && $hostinfo[3] > 0 && $hostinfo[3] < 65536) {
+ if (
+ array_key_exists(3, $hostinfo) &&
+ is_numeric($hostinfo[3]) &&
+ $hostinfo[3] > 0 &&
+ $hostinfo[3] < 65536
+ ) {
$port = (int) $hostinfo[3];
}
if ($this->smtp->connect($prefix . $host, $port, $this->Timeout, $options)) {
@@ -2026,12 +2065,14 @@
// We must resend EHLO after TLS negotiation
$this->smtp->hello($hello);
}
- if ($this->SMTPAuth && !$this->smtp->authenticate(
- $this->Username,
- $this->Password,
- $this->AuthType,
- $this->oauth
- )) {
+ if (
+ $this->SMTPAuth && !$this->smtp->authenticate(
+ $this->Username,
+ $this->Password,
+ $this->AuthType,
+ $this->oauth
+ )
+ ) {
throw new Exception($this->lang('authenticate'));
}
@@ -2089,7 +2130,7 @@
'am' => 'hy',
];
- if (isset($renamed_langcodes[$langcode])) {
+ if (array_key_exists($langcode, $renamed_langcodes)) {
$langcode = $renamed_langcodes[$langcode];
}
@@ -2130,7 +2171,7 @@
// There is no English translation file
if ('en' !== $langcode) {
// Make sure language file path is readable
- if (!static::isPermittedPath($lang_file) || !file_exists($lang_file)) {
+ if (!static::fileIsAccessible($lang_file)) {
$foundlang = false;
} else {
// Overwrite language-specific strings.
@@ -2378,21 +2419,18 @@
$result .= $this->headerLine('Date', '' === $this->MessageDate ? self::rfcDate() : $this->MessageDate);
- // To be created automatically by mail()
- if ($this->SingleTo) {
- if ('mail' !== $this->Mailer) {
+ // The To header is created automatically by mail(), so needs to be omitted here
+ if ('mail' !== $this->Mailer) {
+ if ($this->SingleTo) {
foreach ($this->to as $toaddr) {
$this->SingleToArray[] = $this->addrFormat($toaddr);
}
- }
- } elseif (count($this->to) > 0) {
- if ('mail' !== $this->Mailer) {
+ } elseif (count($this->to) > 0) {
$result .= $this->addrAppend('To', $this->to);
+ } elseif (count($this->cc) === 0) {
+ $result .= $this->headerLine('To', 'undisclosed-recipients:;');
}
- } elseif (count($this->cc) === 0) {
- $result .= $this->headerLine('To', 'undisclosed-recipients:;');
}
-
$result .= $this->addrAppend('From', [[trim($this->From), $this->FromName]]);
// sendmail and mail() extract Cc from the header before sending
@@ -2401,7 +2439,8 @@
}
// sendmail and mail() extract Bcc from the header before sending
- if ((
+ if (
+ (
'sendmail' === $this->Mailer || 'qmail' === $this->Mailer || 'mail' === $this->Mailer
)
&& count($this->bcc) > 0
@@ -2947,7 +2986,7 @@
* @param string $path Path to the attachment
* @param string $name Overrides the attachment name
* @param string $encoding File encoding (see $Encoding)
- * @param string $type File extension (MIME) type
+ * @param string $type MIME type, e.g. `image/jpeg`; determined automatically from $path if not specified
* @param string $disposition Disposition to use
*
* @throws Exception
@@ -2962,7 +3001,7 @@
$disposition = 'attachment'
) {
try {
- if (!static::isPermittedPath($path) || !@is_file($path) || !is_readable($path)) {
+ if (!static::fileIsAccessible($path)) {
throw new Exception($this->lang('file_access') . $path, self::STOP_CONTINUE);
}
@@ -2975,7 +3014,6 @@
if ('' === $name) {
$name = $filename;
}
-
if (!$this->validateEncoding($encoding)) {
throw new Exception($this->lang('encoding') . $encoding);
}
@@ -3137,7 +3175,7 @@
protected function encodeFile($path, $encoding = self::ENCODING_BASE64)
{
try {
- if (!static::isPermittedPath($path) || !file_exists($path) || !is_readable($path)) {
+ if (!static::fileIsAccessible($path)) {
throw new Exception($this->lang('file_open') . $path, self::STOP_CONTINUE);
}
$file_buffer = file_get_contents($path);
@@ -3523,7 +3561,7 @@
$disposition = 'inline'
) {
try {
- if (!static::isPermittedPath($path) || !@is_file($path) || !is_readable($path)) {
+ if (!static::fileIsAccessible($path)) {
throw new Exception($this->lang('file_access') . $path, self::STOP_CONTINUE);
}
@@ -3872,7 +3910,8 @@
public static function isValidHost($host)
{
//Simple syntax limits
- if (empty($host)
+ if (
+ empty($host)
|| !is_string($host)
|| strlen($host) > 256
|| !preg_match('/^([a-zA-Z\d.-]*|\[[a-fA-F\d:]+])$/', $host)
@@ -3990,7 +4029,8 @@
* @param string $message HTML message string
* @param string $basedir Absolute path to a base directory to prepend to relative paths to images
* @param bool|callable $advanced Whether to use the internal HTML to text converter
- * or your own custom converter @return string $message The transformed message Body
+ * or your own custom converter
+ * @return string The transformed message body
*
* @throws Exception
*
@@ -4037,7 +4077,8 @@
);
continue;
}
- if (// Only process relative URLs if a basedir is provided (i.e. no absolute local paths)
+ if (
+ // Only process relative URLs if a basedir is provided (i.e. no absolute local paths)
!empty($basedir)
// Ignore URLs containing parent dir traversal (..)
&& (strpos($url, '..') === false)
@@ -4059,13 +4100,14 @@
if (strlen($directory) > 1 && '/' !== substr($directory, -1)) {
$directory .= '/';
}
- if ($this->addEmbeddedImage(
- $basedir . $directory . $filename,
- $cid,
- $filename,
- static::ENCODING_BASE64,
- static::_mime_types((string) static::mb_pathinfo($filename, PATHINFO_EXTENSION))
- )
+ if (
+ $this->addEmbeddedImage(
+ $basedir . $directory . $filename,
+ $cid,
+ $filename,
+ static::ENCODING_BASE64,
+ static::_mime_types((string) static::mb_pathinfo($filename, PATHINFO_EXTENSION))
+ )
) {
$message = preg_replace(
'/' . $images[1][$imgindex] . '=["\']' . preg_quote($url, '/') . '["\']/Ui',
@@ -4114,7 +4156,7 @@
public function html2text($html, $advanced = false)
{
if (is_callable($advanced)) {
- return $advanced($html);
+ return call_user_func($advanced, $html);
}
return html_entity_decode(
@@ -4213,6 +4255,7 @@
'tiff' => 'image/tiff',
'tif' => 'image/tiff',
'webp' => 'image/webp',
+ 'avif' => 'image/avif',
'heif' => 'image/heif',
'heifs' => 'image/heif-sequence',
'heic' => 'image/heic',
@@ -4483,11 +4526,15 @@
$privKey = openssl_pkey_get_private($privKeyStr);
}
if (openssl_sign($signHeader, $signature, $privKey, 'sha256WithRSAEncryption')) {
- openssl_pkey_free($privKey);
+ if (PHP_MAJOR_VERSION < 8) {
+ openssl_pkey_free($privKey);
+ }
return base64_encode($signature);
}
- openssl_pkey_free($privKey);
+ if (PHP_MAJOR_VERSION < 8) {
+ openssl_pkey_free($privKey);
+ }
return '';
}