mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-22 14:52:41 +01:00
Don't use "/e" in PHPMailer Lite
Summary: PHP 5.4 raises an E_STRICT warning about "/e", and it's a generally awful idea, even though this case doesn't look exploitable. Silence the warning by using preg_replace_callback() instead of "/e". Test Plan: Sent myself a message with a bunch of multibyte UTF8 characters in it, it came through cleanly. Reviewers: btrahan, vrana, jungejason Reviewed By: vrana CC: aran Maniphest Tasks: T1056 Differential Revision: https://secure.phabricator.com/D2147
This commit is contained in:
parent
b90d41dd90
commit
f7b569e5d9
1 changed files with 24 additions and 6 deletions
28
externals/phpmailer/class.phpmailer-lite.php
vendored
28
externals/phpmailer/class.phpmailer-lite.php
vendored
|
@ -1482,6 +1482,13 @@ class PHPMailerLite {
|
|||
return $out;
|
||||
}
|
||||
|
||||
/**
|
||||
* NOTE: Phabricator patch to remove use of "/e". See D2147.
|
||||
*/
|
||||
private function encodeQCallback(array $matches) {
|
||||
return '='.sprintf('%02X', ord($matches[1]));
|
||||
}
|
||||
|
||||
/**
|
||||
* Encode string to q encoding.
|
||||
* @link http://tools.ietf.org/html/rfc2047
|
||||
|
@ -1491,21 +1498,32 @@ class PHPMailerLite {
|
|||
* @return string
|
||||
*/
|
||||
public function EncodeQ ($str, $position = 'text') {
|
||||
|
||||
// NOTE: Phabricator patch to remove use of "/e". See D2147.
|
||||
|
||||
// There should not be any EOL in the string
|
||||
$encoded = preg_replace('/[\r\n]*/', '', $str);
|
||||
|
||||
switch (strtolower($position)) {
|
||||
case 'phrase':
|
||||
$encoded = preg_replace("/([^A-Za-z0-9!*+\/ -])/e", "'='.sprintf('%02X', ord('\\1'))", $encoded);
|
||||
$encoded = preg_replace_callback(
|
||||
"/([^A-Za-z0-9!*+\/ -])/",
|
||||
array($this, 'encodeQCallback'),
|
||||
$encoded);
|
||||
break;
|
||||
case 'comment':
|
||||
$encoded = preg_replace("/([\(\)\"])/e", "'='.sprintf('%02X', ord('\\1'))", $encoded);
|
||||
$encoded = preg_replace(
|
||||
"/([\(\)\"])/",
|
||||
array($this, 'encodeQCallback'),
|
||||
$encoded);
|
||||
break;
|
||||
case 'text':
|
||||
default:
|
||||
// Replace every high ascii, control =, ? and _ characters
|
||||
//TODO using /e (equivalent to eval()) is probably not a good idea
|
||||
$encoded = preg_replace('/([\000-\011\013\014\016-\037\075\077\137\177-\377])/e',
|
||||
"'='.sprintf('%02X', ord('\\1'))", $encoded);
|
||||
$encoded = preg_replace(
|
||||
'/([\000-\011\013\014\016-\037\075\077\137\177-\377])/',
|
||||
array($this, 'encodeQCallback'),
|
||||
$encoded);
|
||||
break;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue