Upgrade to PHPMailer 6.1.8

Author: bramley

public_html/lists/admin/PHPMailer6/SECURITY.md

@@ -2,6 +2,8 @@
 
 Please disclose any vulnerabilities found responsibly - report any security problems found to the maintainers privately.
 
+PHPMailer versions 6.1.5 and earlier contain an output escaping bug that occurs in `Content-Type` and `Content-Disposition` when filenames passed into `addAttachment` and other methods that accept attachment names contain double quote characters, in contravention of RFC822 3.4.1. No specific vulnerability has been found relating to this, but it could allow file attachments to bypass attachment filters that are based on matching filename extensions. Recorded as [CVE-2020-13625](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13625). Reported by Elar Lang of Clarified Security.
+
 PHPMailer versions prior to 6.0.6 and 5.2.27 are vulnerable to an object injection attack by passing `phar://` paths into `addAttachment()` and other functions that may receive unfiltered local paths, possibly leading to RCE. Recorded as [CVE-2018-19296](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19296). See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info on this type of vulnerability. Mitigated by blocking the use of paths containing URL-protocol style prefixes such as `phar://`. Reported by Sehun Oh of cyberone.kr.
 
 PHPMailer versions prior to 5.2.24 (released July 26th 2017) have an XSS vulnerability in one of the code examples, [CVE-2017-11503](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-11503). The `code_generator.phps` example did not filter user input prior to output. This file is distributed with a `.phps` extension, so it it not normally executable unless it is explicitly renamed, and the file is not included when PHPMailer is loaded through composer, so it is safe by default. There was also an undisclosed potential XSS vulnerability in the default exception handler (unused by default). Patches for both issues kindly provided by Patrick Monnerat of the Fedora Project.

public_html/lists/admin/PHPMailer6/VERSION

@@ -1 +1 @@
-6.1.5
+6.1.8

public_html/lists/admin/PHPMailer6/composer.json

@@ -19,22 +19,32 @@
             "name": "Brent R. Matzelle"
         }
     ],
+    "funding": [
+        {
+            "url": "https://github.com/Synchro",
+            "type": "github"
+        }
+    ],
     "require": {
         "php": ">=5.5.0",
         "ext-ctype": "*",
-        "ext-filter": "*"
+        "ext-filter": "*",
+        "ext-hash": "*"
     },
     "require-dev": {
-        "friendsofphp/php-cs-fixer": "^2.2",
+        "dealerdirect/phpcodesniffer-composer-installer": "^0.7.0",
+        "doctrine/annotations": "^1.2",
+        "phpcompatibility/php-compatibility": "^9.3.5",
         "phpunit/phpunit": "^4.8 || ^5.7",
-        "doctrine/annotations": "^1.2"
+        "roave/security-advisories": "dev-latest",
+        "squizlabs/php_codesniffer": "^3.5.6"
     },
     "suggest": {
-        "psr/log": "For optional PSR-3 debug logging",
-        "league/oauth2-google": "Needed for Google XOAUTH2 authentication",
+        "ext-mbstring": "Needed to send email in multibyte encoding charset",
         "hayageek/oauth2-yahoo": "Needed for Yahoo XOAUTH2 authentication",
+        "league/oauth2-google": "Needed for Google XOAUTH2 authentication",
+        "psr/log": "For optional PSR-3 debug logging",
         "stevenmaguire/oauth2-microsoft": "Needed for Microsoft XOAUTH2 authentication",
-        "ext-mbstring": "Needed to send email in multibyte encoding charset",
         "symfony/polyfill-mbstring": "To support UTF-8 if the Mbstring PHP extension is not enabled (^1.2)"
     },
     "autoload": {

public_html/lists/admin/PHPMailer6/get_oauth_token.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * PHPMailer - PHP email creation and transport class.
  * PHP Version 5.5
@@ -8,14 +9,15 @@
  * @author Jim Jagielski (jimjag) <[email protected]>
  * @author Andy Prevost (codeworxtech) <[email protected]>
  * @author Brent R. Matzelle (original founder)
- * @copyright 2012 - 2017 Marcus Bointon
+ * @copyright 2012 - 2020 Marcus Bointon
  * @copyright 2010 - 2012 Jim Jagielski
  * @copyright 2004 - 2009 Andy Prevost
  * @license http://www.gnu.org/copyleft/lesser.html GNU Lesser General Public License
  * @note This program is distributed in the hope that it will be useful - WITHOUT
  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE.
  */
+
 /**
  * Get an OAuth2 token from an OAuth2 provider.
  * * Install this script on your server so that it's accessible
@@ -44,16 +46,16 @@
 use Stevenmaguire\OAuth2\Client\Provider\Microsoft;
 
 if (!isset($_GET['code']) && !isset($_GET['provider'])) {
-?>
+    ?>
 <html>
 <body>Select Provider:<br/>
 <a href='?provider=Google'>Google</a><br/>
 <a href='?provider=Yahoo'>Yahoo</a><br/>
 <a href='?provider=Microsoft'>Microsoft/Outlook/Hotmail/Live/Office365</a><br/>
 </body>
 </html>
-<?php
-exit;
+    <?php
+    exit;
 }
 
 require 'vendor/autoload.php';

public_html/lists/admin/PHPMailer6/language/phpmailer.lang-af.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Afrikaans PHPMailer language file: refer to English translation for definitive list
  * @package PHPMailer

public_html/lists/admin/PHPMailer6/language/phpmailer.lang-ar.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Arabic PHPMailer language file: refer to English translation for definitive list
  * @package PHPMailer

public_html/lists/admin/PHPMailer6/language/phpmailer.lang-az.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Azerbaijani PHPMailer language file: refer to English translation for definitive list
  * @package PHPMailer

public_html/lists/admin/PHPMailer6/language/phpmailer.lang-ba.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Bosnian PHPMailer language file: refer to English translation for definitive list
  * @package PHPMailer
@@ -23,4 +24,4 @@
 $PHPMAILER_LANG['smtp_connect_failed']  = 'Spajanje na SMTP server nije uspjelo.';
 $PHPMAILER_LANG['smtp_error']           = 'SMTP greška: ';
 $PHPMAILER_LANG['variable_set']         = 'Nije moguće postaviti varijablu ili je vratiti nazad: ';
-$PHPMAILER_LANG['extension_missing']    = 'Nedostaje ekstenzija: ';
+$PHPMAILER_LANG['extension_missing']    = 'Nedostaje ekstenzija: ';

public_html/lists/admin/PHPMailer6/language/phpmailer.lang-be.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Belarusian PHPMailer language file: refer to English translation for definitive list
  * @package PHPMailer

public_html/lists/admin/PHPMailer6/language/phpmailer.lang-bg.php

@@ -1,4 +1,5 @@
 <?php
+
 /**
  * Bulgarian PHPMailer language file: refer to English translation for definitive list
  * @package PHPMailer