revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-26 00:32:42 +01:00
Code Issues Releases Wiki Activity

Don't use "/e" in PHPMailer Lite

Browse source 
Summary: PHP 5.4 raises an E_STRICT warning about "/e", and it's a generally awful idea, even though this case doesn't look exploitable. Silence the warning by using preg_replace_callback() instead of "/e".

Test Plan: Sent myself a message with a bunch of multibyte UTF8 characters in it, it came through cleanly.

Reviewers: btrahan, vrana, jungejason

Reviewed By: vrana

CC: aran

Maniphest Tasks: T1056

Differential Revision: https://secure.phabricator.com/D2147
This commit is contained in:
epriestley 2012-04-08 10:02:16 -07:00
parent b90d41dd90
commit f7b569e5d9
1 changed files with 24 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
externals/phpmailer/class.phpmailer-lite.php vendored
View file

@ -489,7 +489,7 @@ class PHPMailerLite {
// Choose the mailer and send through it // Choose the mailer and send through it
switch($this->Mailer) { switch($this->Mailer) {
case 'amazon-ses': case 'amazon-ses':
$toArr = array(); $toArr = array();
foreach($this->to as $t) { foreach($this->to as $t) {
@ -1482,6 +1482,13 @@ class PHPMailerLite {
return $out; return $out;
} }
/**
* NOTE: Phabricator patch to remove use of "/e". See D2147.
*/
private function encodeQCallback(array $matches) {
return '='.sprintf('%02X', ord($matches[1]));
}
/** /**
* Encode string to q encoding. * Encode string to q encoding.
* @link http://tools.ietf.org/html/rfc2047 * @link http://tools.ietf.org/html/rfc2047
@ -1491,21 +1498,32 @@ class PHPMailerLite {
* @return string * @return string
*/ */
public function EncodeQ ($str, $position = 'text') { public function EncodeQ ($str, $position = 'text') {
// NOTE: Phabricator patch to remove use of "/e". See D2147.
// There should not be any EOL in the string // There should not be any EOL in the string
$encoded = preg_replace('/[\r\n]*/', '', $str); $encoded = preg_replace('/[\r\n]*/', '', $str);
switch (strtolower($position)) { switch (strtolower($position)) {
case 'phrase': case 'phrase':
$encoded = preg_replace("/([^A-Za-z0-9!*+\/ -])/e", "'='.sprintf('%02X', ord('\\1'))", $encoded); $encoded = preg_replace_callback(
"/([^A-Za-z0-9!*+\/ -])/",
array($this, 'encodeQCallback'),
$encoded);
break; break;
case 'comment': case 'comment':
$encoded = preg_replace("/([\(\)\"])/e", "'='.sprintf('%02X', ord('\\1'))", $encoded); $encoded = preg_replace(
"/([\(\)\"])/",
array($this, 'encodeQCallback'),
$encoded);
break;
case 'text': case 'text':
default: default:
// Replace every high ascii, control =, ? and _ characters // Replace every high ascii, control =, ? and _ characters
//TODO using /e (equivalent to eval()) is probably not a good idea $encoded = preg_replace(
$encoded = preg_replace('/([\000-\011\013\014\016-\037\075\077\137\177-\377])/e', '/([\000-\011\013\014\016-\037\075\077\137\177-\377])/',
"'='.sprintf('%02X', ord('\\1'))", $encoded); array($this, 'encodeQCallback'),
$encoded);
break; break;
} }