Version 3.5.1

1. 升级PHPMailer至5.2.22 2. 安装后删除无用文件 3. 开启X-Frame-Options，X-Content-Type-Options 4. 修复一系列bug Todo 修复jqxgrid的一些问题
2017-02-18 17:07:32 +08:00
parent c246503ca8
commit e4fa310d38
9 changed files with 115 additions and 37 deletions
--- a/PHPMailer/VERSION
+++ b/PHPMailer/VERSION
@@ -1 +1 @@
-5.2.19
+5.2.22
--- a/PHPMailer/class.phpmailer.php
+++ b/PHPMailer/class.phpmailer.php
@@ -31,7 +31,7 @@ class PHPMailer
     * The PHPMailer Version number.
     * @var string
     */
-    public $Version = '5.2.19';
+    public $Version = '5.2.22';

    /**
     * Email priority.
@@ -1364,19 +1364,24 @@ class PHPMailer
     */
    protected function sendmailSend($header, $body)
    {
-        if (!empty($this->Sender)) {
+        // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
+        if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
            if ($this->Mailer == 'qmail') {
-                $sendmail = sprintf('%s -f%s', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
+                $sendmailFmt = '%s -f%s';
            } else {
-                $sendmail = sprintf('%s -oi -f%s -t', escapeshellcmd($this->Sendmail), escapeshellarg($this->Sender));
+                $sendmailFmt = '%s -oi -f%s -t';
            }
        } else {
            if ($this->Mailer == 'qmail') {
-                $sendmail = sprintf('%s', escapeshellcmd($this->Sendmail));
+                $sendmailFmt = '%s';
            } else {
-                $sendmail = sprintf('%s -oi -t', escapeshellcmd($this->Sendmail));
+                $sendmailFmt = '%s -oi -t';
            }
        }
+
+        // TODO: If possible, this should be changed to escapeshellarg.  Needs thorough testing.
+        $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
+
        if ($this->SingleTo) {
            foreach ($this->SingleToArray as $toAddr) {
                if (!@$mail = popen($sendmail, 'w')) {
@@ -1422,6 +1427,40 @@ class PHPMailer
        return true;
    }

+    /**
+     * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
+     *
+     * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
+     * @param string $string The string to be validated
+     * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
+     * @access protected
+     * @return boolean
+     */
+    protected static function isShellSafe($string)
+    {
+        // Future-proof
+        if (escapeshellcmd($string) !== $string
+            or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))
+        ) {
+            return false;
+        }
+
+        $length = strlen($string);
+
+        for ($i = 0; $i < $length; $i++) {
+            $c = $string[$i];
+
+            // All other characters have a special meaning in at least one common shell, including = and +.
+            // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
+            // Note that this does permit non-Latin alphanumeric characters based on the current locale.
+            if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
    /**
     * Send mail using the PHP mail() function.
     * @param string $header The message headers
@@ -1442,7 +1481,10 @@ class PHPMailer
        $params = null;
        //This sets the SMTP envelope sender which gets turned into a return-path header by the receiver
        if (!empty($this->Sender) and $this->validateAddress($this->Sender)) {
-            $params = sprintf('-f%s', escapeshellarg($this->Sender));
+            // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
+            if (self::isShellSafe($this->Sender)) {
+                $params = sprintf('-f%s', $this->Sender);
+            }
        }
        if (!empty($this->Sender) and !ini_get('safe_mode') and $this->validateAddress($this->Sender)) {
            $old_from = ini_get('sendmail_from');
@@ -2450,6 +2492,7 @@ class PHPMailer

    /**
     * Add an attachment from a path on the filesystem.
+     * Never use a user-supplied path to a file!
     * Returns false if the file could not be found or read.
     * @param string $path Path to the attachment.
     * @param string $name Overrides the attachment name.
@@ -2975,6 +3018,7 @@ class PHPMailer
     * displayed inline with the message, not just attached for download.
     * This is used in HTML messages that embed the images
     * the HTML refers to using the $cid value.
+     * Never use a user-supplied path to a file!
     * @param string $path Path to the attachment.
     * @param string $cid Content ID of the attachment; Use this to reference
     *        the content when using an embedded image in HTML.
@@ -3338,12 +3382,14 @@ class PHPMailer
     * Create a message body from an HTML string.
     * Automatically inlines images and creates a plain-text version by converting the HTML,
     * overwriting any existing values in Body and AltBody.
-     * $basedir is used when handling relative image paths, e.g. <img src="images/a.png">
+     * Do not source $message content from user input!
+     * $basedir is prepended when handling relative URLs, e.g. <img src="/images/a.png"> and must not be empty
     * will look for an image file in $basedir/images/a.png and convert it to inline.
-     * If you don't want to apply these transformations to your HTML, just set Body and AltBody yourself.
+     * If you don't provide a $basedir, relative paths will be left untouched (and thus probably break in email)
+     * If you don't want to apply these transformations to your HTML, just set Body and AltBody directly.
     * @access public
     * @param string $message HTML message string
-     * @param string $basedir base directory for relative paths to images
+     * @param string $basedir Absolute path to a base directory to prepend to relative paths to images
     * @param boolean|callable $advanced Whether to use the internal HTML to text converter
     *    or your own custom converter @see PHPMailer::html2text()
     * @return string $message The transformed message Body
@@ -3352,6 +3398,10 @@ class PHPMailer
    {
        preg_match_all('/(src|background)=["\'](.*)["\']/Ui', $message, $images);
        if (array_key_exists(2, $images)) {
+            if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
+                // Ensure $basedir has a trailing /
+                $basedir .= '/';
+            }
            foreach ($images[2] as $imgindex => $url) {
                // Convert data URIs into embedded images
                if (preg_match('#^data:(image[^;,]*)(;base64)?,#', $url, $match)) {
@@ -3369,18 +3419,24 @@ class PHPMailer
                            $message
                        );
                    }
-                } elseif (substr($url, 0, 4) !== 'cid:' && !preg_match('#^[a-z][a-z0-9+.-]*://#i', $url)) {
-                    // Do not change urls for absolute images (thanks to corvuscorax)
+                    continue;
+                }
+                if (
+                    // Only process relative URLs if a basedir is provided (i.e. no absolute local paths)
+                    !empty($basedir)
+                    // Ignore URLs containing parent dir traversal (..)
+                    && (strpos($url, '..') === false)
                    // Do not change urls that are already inline images
+                    && substr($url, 0, 4) !== 'cid:'
+                    // Do not change absolute URLs, including anonymous protocol
+                    && !preg_match('#^[a-z][a-z0-9+.-]*:?//#i', $url)
+                ) {
                    $filename = basename($url);
                    $directory = dirname($url);
                    if ($directory == '.') {
                        $directory = '';
                    }
                    $cid = md5($url) . '@phpmailer.0'; // RFC2392 S 2
-                    if (strlen($basedir) > 1 && substr($basedir, -1) != '/') {
-                        $basedir .= '/';
-                    }
                    if (strlen($directory) > 1 && substr($directory, -1) != '/') {
                        $directory .= '/';
                    }
--- a/PHPMailer/class.pop3.php
+++ b/PHPMailer/class.pop3.php
@@ -34,7 +34,7 @@ class POP3
     * @var string
     * @access public
     */
-    public $Version = '5.2.19';
+    public $Version = '5.2.22';

    /**
     * Default POP3 port number.
--- a/PHPMailer/class.smtp.php
+++ b/PHPMailer/class.smtp.php
@@ -30,7 +30,7 @@ class SMTP
     * The PHPMailer SMTP version number.
     * @var string
     */
-    const VERSION = '5.2.19';
+    const VERSION = '5.2.22';

    /**
     * SMTP line break constant.
@@ -81,7 +81,7 @@ class SMTP
     * @deprecated Use the `VERSION` constant instead
     * @see SMTP::VERSION
     */
-    public $Version = '5.2.19';
+    public $Version = '5.2.22';

    /**
     * SMTP server port number.
--- a/PHPMailer/extras/htmlfilter.php
+++ b/PHPMailer/extras/htmlfilter.php
@@ -433,7 +433,7 @@ function tln_getnxtag($body, $offset)
 *
 * @param string $attvalue the by-ref value to check.
 * @param string $regex    the regular expression to check against.
- * @param boolean $hex        whether the entites are hexadecimal.
+ * @param boolean $hex        whether the entities are hexadecimal.
 * @return boolean            True or False depending on whether there were matches.
 */
 function tln_deent(&$attvalue, $regex, $hex = false)
@@ -772,7 +772,7 @@ function tln_fixstyle($body, $pos, $trans_image_path, $block_external_images)
    tln_defang($contentTemp);
    tln_unspace($contentTemp);

-    $match   = Array('/\/\*.*\*\//',
+    $match   = array('/\/\*.*\*\//',
                    '/expression/i',
                    '/behaviou*r/i',
                    '/binding/i',
@@ -780,7 +780,7 @@ function tln_fixstyle($body, $pos, $trans_image_path, $block_external_images)
                    '/javascript/i',
                    '/script/i',
                    '/position/i');
-    $replace = Array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', '');
+    $replace = array('','idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', 'idiocy', '');
    $contentNew = preg_replace($match, $replace, $contentTemp);
    if ($contentNew !== $contentTemp) {
        $content = $contentNew;
--- a/auth.php
+++ b/auth.php
@@ -31,6 +31,4 @@ if ( ADMIN_IP_CHECK_ENABLE && !(isset($_SESSION['user_IP']) && $_SESSION['user_I
 }

 //开启CSP
-header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'");
-header("X-Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'");
-header("X-WebKit-CSP: default-src 'self'; style-src 'self' 'unsafe-inline';img-src 'self' data:; frame-src 'none'");
+require_once("waf.php");
--- a/install.php
+++ b/install.php
@@ -5,9 +5,7 @@ ignore_user_abort(true);
 //检测是否已经安装
 if ( file_exists('config.php') ) {
    display_header();
-    
-    @unlink($_SERVER['SCRIPT_FILENAME']);
-    @unlink('config-sample.php');
+    delTempFiles();
    die( '<h1>已安装</h1><p>请勿重复安装！</p><p class="step"><a href="login.php" class="button button-large">登录</a></p></body></html>' );
 }

@@ -181,12 +179,11 @@ CONFIG;
        if ( $error === false ) {
            
            //重加密记录
-            modify_js_desc($my_js_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type);
-            modify_js_desc($js_template_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type);
+            modifyJsDesc($my_js_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type);
+            modifyJsDesc($js_template_path,true,'bluelotus','RC4',$encrypt_enable,$encrypt_pass, $encrypt_type);
            
            //安装完成，自杀
-            @unlink($_SERVER['SCRIPT_FILENAME']);
-            @unlink('config-sample.php');
+            delTempFiles();
            
 ?>

@@ -426,7 +423,7 @@ function stripStr($str) {
 }

 //js描述重加密
-function modify_js_desc($path,$old_encrypt_enable,$old_encrypt_pass,$old_encrypt_type,$new_encrypt_enable,$new_encrypt_pass, $new_encrypt_type) {
+function modifyJsDesc($path,$old_encrypt_enable,$old_encrypt_pass,$old_encrypt_type,$new_encrypt_enable,$new_encrypt_pass, $new_encrypt_type) {
    $files = glob($path . '/*.js');
    foreach ($files as $file){
        //由于可能有中文名,故使用正则来提取文件名
@@ -483,4 +480,24 @@ function decrypt($info,$encrypt_enable,$encrypt_pass,$encrypt_type) {
    return $info;
 }

+//删除目录及目录下所有文件
+function delTree($dir) {
+    $files = array_diff(scandir($dir), array('.','..'));
+    foreach ($files as $file) {
+        (is_dir("$dir/$file")) ? delTree("$dir/$file") : unlink("$dir/$file");
+    }
+    return rmdir($dir);
+}
+
+//删除临时文件
+function delTempFiles() {
+    @unlink($_SERVER['SCRIPT_FILENAME']);
+    @unlink('config-sample.php');
+    @unlink('change_encrypt_pass.php');
+    @unlink('README.md');
+    @unlink('LICENSE');
+    @delTree('src/');
+    @delTree('diff/');
+    @delTree('guide/');
+}
 ?> 
--- a/login.php
+++ b/login.php
@@ -5,9 +5,7 @@ require_once("functions.php");
 require_once("dio.php");

 //CSP开启
-header("Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
-header("X-Content-Security-Policy: default-src 'self'; object-src 'none'; frame-src 'none'");
-header("X-WebKit-CSP: default-src 'self'; object-src 'none'; frame-src 'none'");
+require_once("waf.php");

 //设置httponly
 ini_set("session.cookie_httponly", 1);
@@ -50,7 +48,9 @@ if (!isset($forbiddenIPList[$ip]) || $forbiddenIPList[$ip] <= 5) {

 /*
 生成密码
-php -r "$salt='!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl';$key='bluelotus';$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);echo $key;"
+
+php -r '$salt="!KTMdg#^^I6Z!deIVR#SgpAI6qTN7oVl";$key="你的密码";$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);$key=md5($salt.$key.$salt);echo $key;'
+
 */
 function checkPassword($p) {
    if (isset($_POST['firesunCheck']) && isset($_SESSION['firesunCheck']) && $_SESSION['firesunCheck'] != "" && $_POST['firesunCheck'] === $_SESSION['firesunCheck']) {
--- a/waf.php
+++ b/waf.php
@@ -0,0 +1,7 @@
+<?php
+header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'");
+header("X-Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-src 'none'");
+header("X-WebKit-CSP: default-src 'self'; style-src 'self' 'unsafe-inline';img-src 'self' data:; frame-src 'none'");
+header("X-XSS-Protection: 1; mode=block");
+header("X-Content-Type-Options: nosniff");
+header("X-Frame-Options: DENY");
@@ -1 +1 @@
 .2.19
 .2.22