File: 0001-fix-CVE-2016-10074.patch

package info (click to toggle)
libphp-swiftmailer 5.4.2-1.1
  • links: PTS, VCS
  • area: main
  • in suites: buster, stretch
  • size: 2,544 kB
  • ctags: 6,512
  • sloc: php: 26,922; sh: 28; makefile: 5
file content (53 lines) | stat: -rw-r--r-- 2,293 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
diff -Nur libphp-swiftmailer-5.4.2.orig/lib/classes/Swift/Transport/MailTransport.php libphp-swiftmailer-5.4.2/lib/classes/Swift/Transport/MailTransport.php
--- libphp-swiftmailer-5.4.2.orig/lib/classes/Swift/Transport/MailTransport.php	2016-05-01 08:45:47.000000000 +0000
+++ libphp-swiftmailer-5.4.2/lib/classes/Swift/Transport/MailTransport.php	2017-01-04 15:53:43.400445794 +0000
@@ -237,6 +237,36 @@
     }
 
     /**
+     * Fix CVE-2016-10074 by disallowing potentially unsafe shell characters.
+     *
+     * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
+     *
+     * @param string $string The string to be validated
+     *
+     * @return bool
+     */
+    private function _isShellSafe($string)
+    {
+        // Future-proof
+        if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))) {
+            return false;
+        }
+
+        $length = strlen($string);
+        for ($i = 0; $i < $length; ++$i) {
+            $c = $string[$i];
+            // All other characters have a special meaning in at least one common shell, including = and +.
+            // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
+            // Note that this does permit non-Latin alphanumeric characters based on the current locale.
+            if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
      * Return php mail extra params to use for invoker->mail.
      *
      * @param $extraParams
@@ -247,7 +277,11 @@
     private function _formatExtraParams($extraParams, $reversePath)
     {
         if (false !== strpos($extraParams, '-f%s')) {
-            $extraParams = empty($reversePath) ? str_replace('-f%s', '', $extraParams) : sprintf($extraParams, escapeshellarg($reversePath));
+            if (empty($reversePath) || false === $this->_isShellSafe($reversePath)) {
+                $extraParams = str_replace('-f%s', '', $extraParams);
+            } else {
+                $extraParams = sprintf($extraParams, $reversePath);
+            }
         }
 
         return !empty($extraParams) ? $extraParams : null;