PHPMailer Update auf 5.2.21, Authorizenet Aenderungen aus 1.5.5d

ANLEITUNG/index.html

@@ -59,7 +59,7 @@ <h1>Willkommen bei der deutschen Zen Cart Version 1.5.5</h1>
 <em>Das Team der deutschen Zen Cart Version</em></p>
 <hr />
 <span class="small">
-Die deutsche Zen Cart Version 1.5.5 ist eine Modifikation der amerikanischen Zen Cart Version 1.5.5c von <a href="http://www.zen-cart.com" target="_blank">zen-cart.com</a>.<br/>
+Die deutsche Zen Cart Version 1.5.5 ist eine Modifikation der amerikanischen Zen Cart Version 1.5.5d von <a href="http://www.zen-cart.com" target="_blank">zen-cart.com</a>.<br/>
 <br/>
 Dieses Programm wird in der Hoffnung vertrieben, dass es nützlich ist, allerdings OHNE IRGENDWELCHE GARANTIEN; ohne  die  Garantie der MARKTGÄNGIGKEIT oder der EIGNUNG ZU EINEM BESTIMMTEN ZWECK
 und wird vertrieben unter der GNU General Public License </span>
@@ -143,7 +143,7 @@ <h1>Neue Funktionen gegenüber 1.5.4</h1>
 </ul>
 
 <p>
-  Folgende Neuerungen und Bugfixes wurden aus der amerikanischen 1.5.5c Version  übernommen:</p>
+  Folgende Neuerungen und Bugfixes wurden aus der amerikanischen 1.5.5d Version  übernommen:</p>
 <ul>
   <li>All known v1.5.4 bugfixes and security fixes are included in v1.5.5,   including tighter control around XSS as well as clickjacking</li>
   <li>Template: The default out-of-the-box template (called "Responsive   Classic") is now a mobile-friendly responsive-design theme built for   flexibility with tablets, mobile devices, and desktops.</li>
@@ -195,7 +195,7 @@ <h1>Neue Funktionen gegenüber 1.5.4</h1>
   <li>Fix extra breadcrumb that was appearing when always-open-with-category is enabled</li>
   <li>Update BOC currency parsing to cope with their data changes and division-by-zero errors as a result</li>
   <li>Fix a test-mode bug in Authorizenet AIM module</li>
-  <li>Fix serious PHPMailer bug (upgraded to 5.2.19)</li>
+  <li>Fix serious PHPMailer bug (upgraded to 5.2.21)</li>
   <li>    Fix some variable strict-type rule enforcement issues for better PHP 7 compatibility</li>
   <li>    Fix sanitizer (admin) overzealous cleaning for Attribute Option Comments</li>
   <li>    Fixed bug preventing sending Coupon and GV emails to &quot;all customers&quot;</li>

README.md

@@ -73,4 +73,4 @@ Zen Cart 1.5.5 deutsch ermöglicht den Einsatz von Zen Cart unter PHP 7 und brin
 * pdf Rechnung integriert
 * Bei Bestellungen können die Adressdaten korrigiert werden
 
-Alle Neuerungen und Bugfixes aus der amerikanischen 1.5.5c Version wurden ebenfalls übernommen
+Alle Neuerungen und Bugfixes aus der amerikanischen 1.5.5d Version wurden ebenfalls übernommen

UPLOAD/includes/classes/vendors/PHPMailer/VERSION

@@ -1 +1 @@
-5.2.19
+5.2.21

UPLOAD/includes/classes/vendors/PHPMailer/class.phpmailer.php

@@ -31,7 +31,7 @@ class PHPMailer
      * The PHPMailer Version number.
      * @var string
      */
-    public $Version = '5.2.19';
+    public $Version = '5.2.21';
 
     /**
      * Email priority.
@@ -1364,19 +1364,24 @@ public function postSend()
      */
     protected function sendmailSend($header, $body)
     {
-        if (!empty($this->Sender)) {
+        // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
+        if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
             if ($this->Mailer == 'qmail') {
-                $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
+                $sendmailFmt = '%s -f%s';
             } else {
-                $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
+                $sendmailFmt = '%s -oi -f%s -t';
             }
         } else {
             if ($this->Mailer == 'qmail') {
-                $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
+                $sendmailFmt = '%s';
             } else {
-                $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));
+                $sendmailFmt = '%s -oi -t';
             }
         }
+
+        // TODO: If possible, this should be changed to escapeshellarg.  Needs thorough testing.
+        $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
+
         if ($this->SingleTo) {
             foreach ($this->SingleToArray as $toAddr) {
                 if (!@$mail = popen($sendmail, 'w')) {
@@ -1422,6 +1427,40 @@ protected function sendmailSend($header, $body)
         return true;
     }
 
+    /**
+     * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
+     *
+     * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
+     * @param string $string The string to be validated
+     * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
+     * @access protected
+     * @return boolean
+     */
+    protected static function isShellSafe($string)
+    {
+        // Future-proof
+        if (escapeshellcmd($string) !== $string
+            or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))
+        ) {
+            return false;
+        }
+
+        $length = strlen($string);
+
+        for ($i = 0; $i < $length; $i++) {
+            $c = $string[$i];
+
+            // All other characters have a special meaning in at least one common shell, including = and +.
+            // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
+            // Note that this does permit non-Latin alphanumeric characters based on the current locale.
+            if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
     /**
      * Send mail using the PHP mail() function.
      * @param string $header The message headers
@@ -1442,7 +1481,10 @@ protected function mailSend($header, $body)
         $params = null;
         //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
         if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
-            $params = sprintf('-f%s', escapeshellarg($this->Sender));
+            // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
+            if (self::isShellSafe($this->Sender)) {
+                $params = sprintf('-f%s', $this->Sender);
+            }
         }
         if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
             $old_from = ini_get('sendmail_from');

UPLOAD/includes/classes/vendors/PHPMailer/class.phpmaileroauth.php

@@ -80,6 +80,7 @@ public function getOAUTHInstance()
      * @uses SMTP
      * @access public
      * @return bool
+     * @throws phpmailerException
      */
     public function smtpConnect($options = array())
     {

UPLOAD/includes/classes/vendors/PHPMailer/class.pop3.php

@@ -34,7 +34,7 @@ class POP3
      * @var string
      * @access public
      */
-    public $Version = '5.2.19';
+    public $Version = '5.2.21';
 
     /**
      * Default POP3 port number.

UPLOAD/includes/classes/vendors/PHPMailer/class.smtp.php

@@ -30,7 +30,7 @@ class SMTP
      * The PHPMailer SMTP version number.
      * @var string
      */
-    const VERSION = '5.2.19';
+    const VERSION = '5.2.21';
 
     /**
      * SMTP line break constant.
@@ -81,7 +81,7 @@ class SMTP
      * @deprecated Use the `VERSION` constant instead
      * @see SMTP::VERSION
      */
-    public $Version = '5.2.19';
+    public $Version = '5.2.21';
 
     /**
      * SMTP server port number.