PageRenderTime 57ms CodeModel.GetById 20ms RepoModel.GetById 0ms app.codeStats 1ms

/common/include/mailer/class.phpmailer.php

https://github.com/tematres/TemaTres-Vocabulary-Server
PHP | 4042 lines | 2377 code | 251 blank | 1414 comment | 390 complexity | bd176eda88940f0cc78ef8f74dd8cf15 MD5 | raw file
Possible License(s): LGPL-2.1, MIT, CC-BY-3.0

Large files files are truncated, but you can click here to view the full file

  1. <?php
  2. /**
  3. * PHPMailer - PHP email creation and transport class.
  4. * PHP Version 5
  5. * @package PHPMailer
  6. * @link https://github.com/PHPMailer/PHPMailer/ The PHPMailer GitHub project
  7. * @author Marcus Bointon (Synchro/coolbru) <phpmailer@synchromedia.co.uk>
  8. * @author Jim Jagielski (jimjag) <jimjag@gmail.com>
  9. * @author Andy Prevost (codeworxtech) <codeworxtech@users.sourceforge.net>
  10. * @author Brent R. Matzelle (original founder)
  11. * @copyright 2012 - 2014 Marcus Bointon
  12. * @copyright 2010 - 2012 Jim Jagielski
  13. * @copyright 2004 - 2009 Andy Prevost
  14. * @license http://www.gnu.org/copyleft/lesser.html GNU Lesser General Public License
  15. * @note This program is distributed in the hope that it will be useful - WITHOUT
  16. * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  17. * FITNESS FOR A PARTICULAR PURPOSE.
  18. */
  19. /**
  20. * PHPMailer - PHP email creation and transport class.
  21. * @package PHPMailer
  22. * @author Marcus Bointon (Synchro/coolbru) <phpmailer@synchromedia.co.uk>
  23. * @author Jim Jagielski (jimjag) <jimjag@gmail.com>
  24. * @author Andy Prevost (codeworxtech) <codeworxtech@users.sourceforge.net>
  25. * @author Brent R. Matzelle (original founder)
  26. */
  27. class PHPMailer
  28. {
  29. /**
  30. * The PHPMailer Version number.
  31. * @var string
  32. */
  33. public $Version = '5.2.24';
  34. /**
  35. * Email priority.
  36. * Options: null (default), 1 = High, 3 = Normal, 5 = low.
  37. * When null, the header is not set at all.
  38. * @var integer
  39. */
  40. public $Priority = null;
  41. /**
  42. * The character set of the message.
  43. * @var string
  44. */
  45. public $CharSet = 'iso-8859-1';
  46. /**
  47. * The MIME Content-type of the message.
  48. * @var string
  49. */
  50. public $ContentType = 'text/plain';
  51. /**
  52. * The message encoding.
  53. * Options: "8bit", "7bit", "binary", "base64", and "quoted-printable".
  54. * @var string
  55. */
  56. public $Encoding = '8bit';
  57. /**
  58. * Holds the most recent mailer error message.
  59. * @var string
  60. */
  61. public $ErrorInfo = '';
  62. /**
  63. * The From email address for the message.
  64. * @var string
  65. */
  66. public $From = 'root@localhost';
  67. /**
  68. * The From name of the message.
  69. * @var string
  70. */
  71. public $FromName = 'Root User';
  72. /**
  73. * The Sender email (Return-Path) of the message.
  74. * If not empty, will be sent via -f to sendmail or as 'MAIL FROM' in smtp mode.
  75. * @var string
  76. */
  77. public $Sender = '';
  78. /**
  79. * The Return-Path of the message.
  80. * If empty, it will be set to either From or Sender.
  81. * @var string
  82. * @deprecated Email senders should never set a return-path header;
  83. * it's the receiver's job (RFC5321 section 4.4), so this no longer does anything.
  84. * @link https://tools.ietf.org/html/rfc5321#section-4.4 RFC5321 reference
  85. */
  86. public $ReturnPath = '';
  87. /**
  88. * The Subject of the message.
  89. * @var string
  90. */
  91. public $Subject = '';
  92. /**
  93. * An HTML or plain text message body.
  94. * If HTML then call isHTML(true).
  95. * @var string
  96. */
  97. public $Body = '';
  98. /**
  99. * The plain-text message body.
  100. * This body can be read by mail clients that do not have HTML email
  101. * capability such as mutt & Eudora.
  102. * Clients that can read HTML will view the normal Body.
  103. * @var string
  104. */
  105. public $AltBody = '';
  106. /**
  107. * An iCal message part body.
  108. * Only supported in simple alt or alt_inline message types
  109. * To generate iCal events, use the bundled extras/EasyPeasyICS.php class or iCalcreator
  110. * @link http://sprain.ch/blog/downloads/php-class-easypeasyics-create-ical-files-with-php/
  111. * @link http://kigkonsult.se/iCalcreator/
  112. * @var string
  113. */
  114. public $Ical = '';
  115. /**
  116. * The complete compiled MIME message body.
  117. * @access protected
  118. * @var string
  119. */
  120. protected $MIMEBody = '';
  121. /**
  122. * The complete compiled MIME message headers.
  123. * @var string
  124. * @access protected
  125. */
  126. protected $MIMEHeader = '';
  127. /**
  128. * Extra headers that createHeader() doesn't fold in.
  129. * @var string
  130. * @access protected
  131. */
  132. protected $mailHeader = '';
  133. /**
  134. * Word-wrap the message body to this number of chars.
  135. * Set to 0 to not wrap. A useful value here is 78, for RFC2822 section 2.1.1 compliance.
  136. * @var integer
  137. */
  138. public $WordWrap = 0;
  139. /**
  140. * Which method to use to send mail.
  141. * Options: "mail", "sendmail", or "smtp".
  142. * @var string
  143. */
  144. public $Mailer = 'mail';
  145. /**
  146. * The path to the sendmail program.
  147. * @var string
  148. */
  149. public $Sendmail = '/usr/sbin/sendmail';
  150. /**
  151. * Whether mail() uses a fully sendmail-compatible MTA.
  152. * One which supports sendmail's "-oi -f" options.
  153. * @var boolean
  154. */
  155. public $UseSendmailOptions = true;
  156. /**
  157. * Path to PHPMailer plugins.
  158. * Useful if the SMTP class is not in the PHP include path.
  159. * @var string
  160. * @deprecated Should not be needed now there is an autoloader.
  161. */
  162. public $PluginDir = '';
  163. /**
  164. * The email address that a reading confirmation should be sent to, also known as read receipt.
  165. * @var string
  166. */
  167. public $ConfirmReadingTo = '';
  168. /**
  169. * The hostname to use in the Message-ID header and as default HELO string.
  170. * If empty, PHPMailer attempts to find one with, in order,
  171. * $_SERVER['SERVER_NAME'], gethostname(), php_uname('n'), or the value
  172. * 'localhost.localdomain'.
  173. * @var string
  174. */
  175. public $Hostname = '';
  176. /**
  177. * An ID to be used in the Message-ID header.
  178. * If empty, a unique id will be generated.
  179. * You can set your own, but it must be in the format "<id@domain>",
  180. * as defined in RFC5322 section 3.6.4 or it will be ignored.
  181. * @see https://tools.ietf.org/html/rfc5322#section-3.6.4
  182. * @var string
  183. */
  184. public $MessageID = '';
  185. /**
  186. * The message Date to be used in the Date header.
  187. * If empty, the current date will be added.
  188. * @var string
  189. */
  190. public $MessageDate = '';
  191. /**
  192. * SMTP hosts.
  193. * Either a single hostname or multiple semicolon-delimited hostnames.
  194. * You can also specify a different port
  195. * for each host by using this format: [hostname:port]
  196. * (e.g. "smtp1.example.com:25;smtp2.example.com").
  197. * You can also specify encryption type, for example:
  198. * (e.g. "tls://smtp1.example.com:587;ssl://smtp2.example.com:465").
  199. * Hosts will be tried in order.
  200. * @var string
  201. */
  202. public $Host = 'localhost';
  203. /**
  204. * The default SMTP server port.
  205. * @var integer
  206. * @TODO Why is this needed when the SMTP class takes care of it?
  207. */
  208. public $Port = 25;
  209. /**
  210. * The SMTP HELO of the message.
  211. * Default is $Hostname. If $Hostname is empty, PHPMailer attempts to find
  212. * one with the same method described above for $Hostname.
  213. * @var string
  214. * @see PHPMailer::$Hostname
  215. */
  216. public $Helo = '';
  217. /**
  218. * What kind of encryption to use on the SMTP connection.
  219. * Options: '', 'ssl' or 'tls'
  220. * @var string
  221. */
  222. public $SMTPSecure = '';
  223. /**
  224. * Whether to enable TLS encryption automatically if a server supports it,
  225. * even if `SMTPSecure` is not set to 'tls'.
  226. * Be aware that in PHP >= 5.6 this requires that the server's certificates are valid.
  227. * @var boolean
  228. */
  229. public $SMTPAutoTLS = true;
  230. /**
  231. * Whether to use SMTP authentication.
  232. * Uses the Username and Password properties.
  233. * @var boolean
  234. * @see PHPMailer::$Username
  235. * @see PHPMailer::$Password
  236. */
  237. public $SMTPAuth = false;
  238. /**
  239. * Options array passed to stream_context_create when connecting via SMTP.
  240. * @var array
  241. */
  242. public $SMTPOptions = array();
  243. /**
  244. * SMTP username.
  245. * @var string
  246. */
  247. public $Username = '';
  248. /**
  249. * SMTP password.
  250. * @var string
  251. */
  252. public $Password = '';
  253. /**
  254. * SMTP auth type.
  255. * Options are CRAM-MD5, LOGIN, PLAIN, NTLM, XOAUTH2, attempted in that order if not specified
  256. * @var string
  257. */
  258. public $AuthType = '';
  259. /**
  260. * SMTP realm.
  261. * Used for NTLM auth
  262. * @var string
  263. */
  264. public $Realm = '';
  265. /**
  266. * SMTP workstation.
  267. * Used for NTLM auth
  268. * @var string
  269. */
  270. public $Workstation = '';
  271. /**
  272. * The SMTP server timeout in seconds.
  273. * Default of 5 minutes (300sec) is from RFC2821 section 4.5.3.2
  274. * @var integer
  275. */
  276. public $Timeout = 300;
  277. /**
  278. * SMTP class debug output mode.
  279. * Debug output level.
  280. * Options:
  281. * * `0` No output
  282. * * `1` Commands
  283. * * `2` Data and commands
  284. * * `3` As 2 plus connection status
  285. * * `4` Low-level data output
  286. * @var integer
  287. * @see SMTP::$do_debug
  288. */
  289. public $SMTPDebug = 0;
  290. /**
  291. * How to handle debug output.
  292. * Options:
  293. * * `echo` Output plain-text as-is, appropriate for CLI
  294. * * `html` Output escaped, line breaks converted to `<br>`, appropriate for browser output
  295. * * `error_log` Output to error log as configured in php.ini
  296. *
  297. * Alternatively, you can provide a callable expecting two params: a message string and the debug level:
  298. * <code>
  299. * $mail->Debugoutput = function($str, $level) {echo "debug level $level; message: $str";};
  300. * </code>
  301. * @var string|callable
  302. * @see SMTP::$Debugoutput
  303. */
  304. public $Debugoutput = 'echo';
  305. /**
  306. * Whether to keep SMTP connection open after each message.
  307. * If this is set to true then to close the connection
  308. * requires an explicit call to smtpClose().
  309. * @var boolean
  310. */
  311. public $SMTPKeepAlive = false;
  312. /**
  313. * Whether to split multiple to addresses into multiple messages
  314. * or send them all in one message.
  315. * Only supported in `mail` and `sendmail` transports, not in SMTP.
  316. * @var boolean
  317. */
  318. public $SingleTo = false;
  319. /**
  320. * Storage for addresses when SingleTo is enabled.
  321. * @var array
  322. * @TODO This should really not be public
  323. */
  324. public $SingleToArray = array();
  325. /**
  326. * Whether to generate VERP addresses on send.
  327. * Only applicable when sending via SMTP.
  328. * @link https://en.wikipedia.org/wiki/Variable_envelope_return_path
  329. * @link http://www.postfix.org/VERP_README.html Postfix VERP info
  330. * @var boolean
  331. */
  332. public $do_verp = false;
  333. /**
  334. * Whether to allow sending messages with an empty body.
  335. * @var boolean
  336. */
  337. public $AllowEmpty = false;
  338. /**
  339. * The default line ending.
  340. * @note The default remains "\n". We force CRLF where we know
  341. * it must be used via self::CRLF.
  342. * @var string
  343. */
  344. public $LE = "\n";
  345. /**
  346. * DKIM selector.
  347. * @var string
  348. */
  349. public $DKIM_selector = '';
  350. /**
  351. * DKIM Identity.
  352. * Usually the email address used as the source of the email.
  353. * @var string
  354. */
  355. public $DKIM_identity = '';
  356. /**
  357. * DKIM passphrase.
  358. * Used if your key is encrypted.
  359. * @var string
  360. */
  361. public $DKIM_passphrase = '';
  362. /**
  363. * DKIM signing domain name.
  364. * @example 'example.com'
  365. * @var string
  366. */
  367. public $DKIM_domain = '';
  368. /**
  369. * DKIM private key file path.
  370. * @var string
  371. */
  372. public $DKIM_private = '';
  373. /**
  374. * DKIM private key string.
  375. * If set, takes precedence over `$DKIM_private`.
  376. * @var string
  377. */
  378. public $DKIM_private_string = '';
  379. /**
  380. * Callback Action function name.
  381. *
  382. * The function that handles the result of the send email action.
  383. * It is called out by send() for each email sent.
  384. *
  385. * Value can be any php callable: http://www.php.net/is_callable
  386. *
  387. * Parameters:
  388. * boolean $result result of the send action
  389. * array $to email addresses of the recipients
  390. * array $cc cc email addresses
  391. * array $bcc bcc email addresses
  392. * string $subject the subject
  393. * string $body the email body
  394. * string $from email address of sender
  395. * @var string
  396. */
  397. public $action_function = '';
  398. /**
  399. * What to put in the X-Mailer header.
  400. * Options: An empty string for PHPMailer default, whitespace for none, or a string to use
  401. * @var string
  402. */
  403. public $XMailer = '';
  404. /**
  405. * Which validator to use by default when validating email addresses.
  406. * May be a callable to inject your own validator, but there are several built-in validators.
  407. * @see PHPMailer::validateAddress()
  408. * @var string|callable
  409. * @static
  410. */
  411. public static $validator = 'auto';
  412. /**
  413. * An instance of the SMTP sender class.
  414. * @var SMTP
  415. * @access protected
  416. */
  417. protected $smtp = null;
  418. /**
  419. * The array of 'to' names and addresses.
  420. * @var array
  421. * @access protected
  422. */
  423. protected $to = array();
  424. /**
  425. * The array of 'cc' names and addresses.
  426. * @var array
  427. * @access protected
  428. */
  429. protected $cc = array();
  430. /**
  431. * The array of 'bcc' names and addresses.
  432. * @var array
  433. * @access protected
  434. */
  435. protected $bcc = array();
  436. /**
  437. * The array of reply-to names and addresses.
  438. * @var array
  439. * @access protected
  440. */
  441. protected $ReplyTo = array();
  442. /**
  443. * An array of all kinds of addresses.
  444. * Includes all of $to, $cc, $bcc
  445. * @var array
  446. * @access protected
  447. * @see PHPMailer::$to @see PHPMailer::$cc @see PHPMailer::$bcc
  448. */
  449. protected $all_recipients = array();
  450. /**
  451. * An array of names and addresses queued for validation.
  452. * In send(), valid and non duplicate entries are moved to $all_recipients
  453. * and one of $to, $cc, or $bcc.
  454. * This array is used only for addresses with IDN.
  455. * @var array
  456. * @access protected
  457. * @see PHPMailer::$to @see PHPMailer::$cc @see PHPMailer::$bcc
  458. * @see PHPMailer::$all_recipients
  459. */
  460. protected $RecipientsQueue = array();
  461. /**
  462. * An array of reply-to names and addresses queued for validation.
  463. * In send(), valid and non duplicate entries are moved to $ReplyTo.
  464. * This array is used only for addresses with IDN.
  465. * @var array
  466. * @access protected
  467. * @see PHPMailer::$ReplyTo
  468. */
  469. protected $ReplyToQueue = array();
  470. /**
  471. * The array of attachments.
  472. * @var array
  473. * @access protected
  474. */
  475. protected $attachment = array();
  476. /**
  477. * The array of custom headers.
  478. * @var array
  479. * @access protected
  480. */
  481. protected $CustomHeader = array();
  482. /**
  483. * The most recent Message-ID (including angular brackets).
  484. * @var string
  485. * @access protected
  486. */
  487. protected $lastMessageID = '';
  488. /**
  489. * The message's MIME type.
  490. * @var string
  491. * @access protected
  492. */
  493. protected $message_type = '';
  494. /**
  495. * The array of MIME boundary strings.
  496. * @var array
  497. * @access protected
  498. */
  499. protected $boundary = array();
  500. /**
  501. * The array of available languages.
  502. * @var array
  503. * @access protected
  504. */
  505. protected $language = array();
  506. /**
  507. * The number of errors encountered.
  508. * @var integer
  509. * @access protected
  510. */
  511. protected $error_count = 0;
  512. /**
  513. * The S/MIME certificate file path.
  514. * @var string
  515. * @access protected
  516. */
  517. protected $sign_cert_file = '';
  518. /**
  519. * The S/MIME key file path.
  520. * @var string
  521. * @access protected
  522. */
  523. protected $sign_key_file = '';
  524. /**
  525. * The optional S/MIME extra certificates ("CA Chain") file path.
  526. * @var string
  527. * @access protected
  528. */
  529. protected $sign_extracerts_file = '';
  530. /**
  531. * The S/MIME password for the key.
  532. * Used only if the key is encrypted.
  533. * @var string
  534. * @access protected
  535. */
  536. protected $sign_key_pass = '';
  537. /**
  538. * Whether to throw exceptions for errors.
  539. * @var boolean
  540. * @access protected
  541. */
  542. protected $exceptions = false;
  543. /**
  544. * Unique ID used for message ID and boundaries.
  545. * @var string
  546. * @access protected
  547. */
  548. protected $uniqueid = '';
  549. /**
  550. * Error severity: message only, continue processing.
  551. */
  552. const STOP_MESSAGE = 0;
  553. /**
  554. * Error severity: message, likely ok to continue processing.
  555. */
  556. const STOP_CONTINUE = 1;
  557. /**
  558. * Error severity: message, plus full stop, critical error reached.
  559. */
  560. const STOP_CRITICAL = 2;
  561. /**
  562. * SMTP RFC standard line ending.
  563. */
  564. const CRLF = "\r\n";
  565. /**
  566. * The maximum line length allowed by RFC 2822 section 2.1.1
  567. * @var integer
  568. */
  569. const MAX_LINE_LENGTH = 998;
  570. /**
  571. * Constructor.
  572. * @param boolean $exceptions Should we throw external exceptions?
  573. */
  574. public function __construct($exceptions = null)
  575. {
  576. if ($exceptions !== null) {
  577. $this->exceptions = (boolean)$exceptions;
  578. }
  579. }
  580. /**
  581. * Destructor.
  582. */
  583. public function __destruct()
  584. {
  585. //Close any open SMTP connection nicely
  586. $this->smtpClose();
  587. }
  588. /**
  589. * Call mail() in a safe_mode-aware fashion.
  590. * Also, unless sendmail_path points to sendmail (or something that
  591. * claims to be sendmail), don't pass params (not a perfect fix,
  592. * but it will do)
  593. * @param string $to To
  594. * @param string $subject Subject
  595. * @param string $body Message Body
  596. * @param string $header Additional Header(s)
  597. * @param string $params Params
  598. * @access private
  599. * @return boolean
  600. */
  601. private function mailPassthru($to, $subject, $body, $header, $params)
  602. {
  603. //Check overloading of mail function to avoid double-encoding
  604. if (ini_get('mbstring.func_overload') & 1) {
  605. $subject = $this->secureHeader($subject);
  606. } else {
  607. $subject = $this->encodeHeader($this->secureHeader($subject));
  608. }
  609. //Can't use additional_parameters in safe_mode, calling mail() with null params breaks
  610. //@link http://php.net/manual/en/function.mail.php
  611. if (ini_get('safe_mode') or !$this->UseSendmailOptions or is_null($params)) {
  612. $result = @mail($to, $subject, $body, $header);
  613. } else {
  614. $result = @mail($to, $subject, $body, $header, $params);
  615. }
  616. return $result;
  617. }
  618. /**
  619. * Output debugging info via user-defined method.
  620. * Only generates output if SMTP debug output is enabled (@see SMTP::$do_debug).
  621. * @see PHPMailer::$Debugoutput
  622. * @see PHPMailer::$SMTPDebug
  623. * @param string $str
  624. */
  625. protected function edebug($str)
  626. {
  627. if ($this->SMTPDebug <= 0) {
  628. return;
  629. }
  630. //Avoid clash with built-in function names
  631. if (!in_array($this->Debugoutput, array('error_log', 'html', 'echo')) and is_callable($this->Debugoutput)) {
  632. call_user_func($this->Debugoutput, $str, $this->SMTPDebug);
  633. return;
  634. }
  635. switch ($this->Debugoutput) {
  636. case 'error_log':
  637. //Don't output, just log
  638. error_log($str);
  639. break;
  640. case 'html':
  641. //Cleans up output a bit for a better looking, HTML-safe output
  642. echo htmlentities(
  643. preg_replace('/[\r\n]+/', '', $str),
  644. ENT_QUOTES,
  645. 'UTF-8'
  646. )
  647. . "<br>\n";
  648. break;
  649. case 'echo':
  650. default:
  651. //Normalize line breaks
  652. $str = preg_replace('/\r\n?/ms', "\n", $str);
  653. echo gmdate('Y-m-d H:i:s') . "\t" . str_replace(
  654. "\n",
  655. "\n \t ",
  656. trim($str)
  657. ) . "\n";
  658. }
  659. }
  660. /**
  661. * Sets message type to HTML or plain.
  662. * @param boolean $isHtml True for HTML mode.
  663. * @return void
  664. */
  665. public function isHTML($isHtml = true)
  666. {
  667. if ($isHtml) {
  668. $this->ContentType = 'text/html';
  669. } else {
  670. $this->ContentType = 'text/plain';
  671. }
  672. }
  673. /**
  674. * Send messages using SMTP.
  675. * @return void
  676. */
  677. public function isSMTP()
  678. {
  679. $this->Mailer = 'smtp';
  680. }
  681. /**
  682. * Send messages using PHP's mail() function.
  683. * @return void
  684. */
  685. public function isMail()
  686. {
  687. $this->Mailer = 'mail';
  688. }
  689. /**
  690. * Send messages using $Sendmail.
  691. * @return void
  692. */
  693. public function isSendmail()
  694. {
  695. $ini_sendmail_path = ini_get('sendmail_path');
  696. if (!stristr($ini_sendmail_path, 'sendmail')) {
  697. $this->Sendmail = '/usr/sbin/sendmail';
  698. } else {
  699. $this->Sendmail = $ini_sendmail_path;
  700. }
  701. $this->Mailer = 'sendmail';
  702. }
  703. /**
  704. * Send messages using qmail.
  705. * @return void
  706. */
  707. public function isQmail()
  708. {
  709. $ini_sendmail_path = ini_get('sendmail_path');
  710. if (!stristr($ini_sendmail_path, 'qmail')) {
  711. $this->Sendmail = '/var/qmail/bin/qmail-inject';
  712. } else {
  713. $this->Sendmail = $ini_sendmail_path;
  714. }
  715. $this->Mailer = 'qmail';
  716. }
  717. /**
  718. * Add a "To" address.
  719. * @param string $address The email address to send to
  720. * @param string $name
  721. * @return boolean true on success, false if address already used or invalid in some way
  722. */
  723. public function addAddress($address, $name = '')
  724. {
  725. return $this->addOrEnqueueAnAddress('to', $address, $name);
  726. }
  727. /**
  728. * Add a "CC" address.
  729. * @note: This function works with the SMTP mailer on win32, not with the "mail" mailer.
  730. * @param string $address The email address to send to
  731. * @param string $name
  732. * @return boolean true on success, false if address already used or invalid in some way
  733. */
  734. public function addCC($address, $name = '')
  735. {
  736. return $this->addOrEnqueueAnAddress('cc', $address, $name);
  737. }
  738. /**
  739. * Add a "BCC" address.
  740. * @note: This function works with the SMTP mailer on win32, not with the "mail" mailer.
  741. * @param string $address The email address to send to
  742. * @param string $name
  743. * @return boolean true on success, false if address already used or invalid in some way
  744. */
  745. public function addBCC($address, $name = '')
  746. {
  747. return $this->addOrEnqueueAnAddress('bcc', $address, $name);
  748. }
  749. /**
  750. * Add a "Reply-To" address.
  751. * @param string $address The email address to reply to
  752. * @param string $name
  753. * @return boolean true on success, false if address already used or invalid in some way
  754. */
  755. public function addReplyTo($address, $name = '')
  756. {
  757. return $this->addOrEnqueueAnAddress('Reply-To', $address, $name);
  758. }
  759. /**
  760. * Add an address to one of the recipient arrays or to the ReplyTo array. Because PHPMailer
  761. * can't validate addresses with an IDN without knowing the PHPMailer::$CharSet (that can still
  762. * be modified after calling this function), addition of such addresses is delayed until send().
  763. * Addresses that have been added already return false, but do not throw exceptions.
  764. * @param string $kind One of 'to', 'cc', 'bcc', or 'ReplyTo'
  765. * @param string $address The email address to send, resp. to reply to
  766. * @param string $name
  767. * @throws phpmailerException
  768. * @return boolean true on success, false if address already used or invalid in some way
  769. * @access protected
  770. */
  771. protected function addOrEnqueueAnAddress($kind, $address, $name)
  772. {
  773. $address = trim($address);
  774. $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim
  775. if (($pos = strrpos($address, '@')) === false) {
  776. // At-sign is misssing.
  777. $error_message = $this->lang('invalid_address') . " (addAnAddress $kind): $address";
  778. $this->setError($error_message);
  779. $this->edebug($error_message);
  780. if ($this->exceptions) {
  781. throw new phpmailerException($error_message);
  782. }
  783. return false;
  784. }
  785. $params = array($kind, $address, $name);
  786. // Enqueue addresses with IDN until we know the PHPMailer::$CharSet.
  787. if ($this->has8bitChars(substr($address, ++$pos)) and $this->idnSupported()) {
  788. if ($kind != 'Reply-To') {
  789. if (!array_key_exists($address, $this->RecipientsQueue)) {
  790. $this->RecipientsQueue[$address] = $params;
  791. return true;
  792. }
  793. } else {
  794. if (!array_key_exists($address, $this->ReplyToQueue)) {
  795. $this->ReplyToQueue[$address] = $params;
  796. return true;
  797. }
  798. }
  799. return false;
  800. }
  801. // Immediately add standard addresses without IDN.
  802. return call_user_func_array(array($this, 'addAnAddress'), $params);
  803. }
  804. /**
  805. * Add an address to one of the recipient arrays or to the ReplyTo array.
  806. * Addresses that have been added already return false, but do not throw exceptions.
  807. * @param string $kind One of 'to', 'cc', 'bcc', or 'ReplyTo'
  808. * @param string $address The email address to send, resp. to reply to
  809. * @param string $name
  810. * @throws phpmailerException
  811. * @return boolean true on success, false if address already used or invalid in some way
  812. * @access protected
  813. */
  814. protected function addAnAddress($kind, $address, $name = '')
  815. {
  816. if (!in_array($kind, array('to', 'cc', 'bcc', 'Reply-To'))) {
  817. $error_message = $this->lang('Invalid recipient kind: ') . $kind;
  818. $this->setError($error_message);
  819. $this->edebug($error_message);
  820. if ($this->exceptions) {
  821. throw new phpmailerException($error_message);
  822. }
  823. return false;
  824. }
  825. if (!$this->validateAddress($address)) {
  826. $error_message = $this->lang('invalid_address') . " (addAnAddress $kind): $address";
  827. $this->setError($error_message);
  828. $this->edebug($error_message);
  829. if ($this->exceptions) {
  830. throw new phpmailerException($error_message);
  831. }
  832. return false;
  833. }
  834. if ($kind != 'Reply-To') {
  835. if (!array_key_exists(strtolower($address), $this->all_recipients)) {
  836. array_push($this->$kind, array($address, $name));
  837. $this->all_recipients[strtolower($address)] = true;
  838. return true;
  839. }
  840. } else {
  841. if (!array_key_exists(strtolower($address), $this->ReplyTo)) {
  842. $this->ReplyTo[strtolower($address)] = array($address, $name);
  843. return true;
  844. }
  845. }
  846. return false;
  847. }
  848. /**
  849. * Parse and validate a string containing one or more RFC822-style comma-separated email addresses
  850. * of the form "display name <address>" into an array of name/address pairs.
  851. * Uses the imap_rfc822_parse_adrlist function if the IMAP extension is available.
  852. * Note that quotes in the name part are removed.
  853. * @param string $addrstr The address list string
  854. * @param bool $useimap Whether to use the IMAP extension to parse the list
  855. * @return array
  856. * @link http://www.andrew.cmu.edu/user/agreen1/testing/mrbs/web/Mail/RFC822.php A more careful implementation
  857. */
  858. public function parseAddresses($addrstr, $useimap = true)
  859. {
  860. $addresses = array();
  861. if ($useimap and function_exists('imap_rfc822_parse_adrlist')) {
  862. //Use this built-in parser if it's available
  863. $list = imap_rfc822_parse_adrlist($addrstr, '');
  864. foreach ($list as $address) {
  865. if ($address->host != '.SYNTAX-ERROR.') {
  866. if ($this->validateAddress($address->mailbox . '@' . $address->host)) {
  867. $addresses[] = array(
  868. 'name' => (property_exists($address, 'personal') ? $address->personal : ''),
  869. 'address' => $address->mailbox . '@' . $address->host
  870. );
  871. }
  872. }
  873. }
  874. } else {
  875. //Use this simpler parser
  876. $list = explode(',', $addrstr);
  877. foreach ($list as $address) {
  878. $address = trim($address);
  879. //Is there a separate name part?
  880. if (strpos($address, '<') === false) {
  881. //No separate name, just use the whole thing
  882. if ($this->validateAddress($address)) {
  883. $addresses[] = array(
  884. 'name' => '',
  885. 'address' => $address
  886. );
  887. }
  888. } else {
  889. list($name, $email) = explode('<', $address);
  890. $email = trim(str_replace('>', '', $email));
  891. if ($this->validateAddress($email)) {
  892. $addresses[] = array(
  893. 'name' => trim(str_replace(array('"', "'"), '', $name)),
  894. 'address' => $email
  895. );
  896. }
  897. }
  898. }
  899. }
  900. return $addresses;
  901. }
  902. /**
  903. * Set the From and FromName properties.
  904. * @param string $address
  905. * @param string $name
  906. * @param boolean $auto Whether to also set the Sender address, defaults to true
  907. * @throws phpmailerException
  908. * @return boolean
  909. */
  910. public function setFrom($address, $name = '', $auto = true)
  911. {
  912. $address = trim($address);
  913. $name = trim(preg_replace('/[\r\n]+/', '', $name)); //Strip breaks and trim
  914. // Don't validate now addresses with IDN. Will be done in send().
  915. if (($pos = strrpos($address, '@')) === false or
  916. (!$this->has8bitChars(substr($address, ++$pos)) or !$this->idnSupported()) and
  917. !$this->validateAddress($address)) {
  918. $error_message = $this->lang('invalid_address') . " (setFrom) $address";
  919. $this->setError($error_message);
  920. $this->edebug($error_message);
  921. if ($this->exceptions) {
  922. throw new phpmailerException($error_message);
  923. }
  924. return false;
  925. }
  926. $this->From = $address;
  927. $this->FromName = $name;
  928. if ($auto) {
  929. if (empty($this->Sender)) {
  930. $this->Sender = $address;
  931. }
  932. }
  933. return true;
  934. }
  935. /**
  936. * Return the Message-ID header of the last email.
  937. * Technically this is the value from the last time the headers were created,
  938. * but it's also the message ID of the last sent message except in
  939. * pathological cases.
  940. * @return string
  941. */
  942. public function getLastMessageID()
  943. {
  944. return $this->lastMessageID;
  945. }
  946. /**
  947. * Check that a string looks like an email address.
  948. * @param string $address The email address to check
  949. * @param string|callable $patternselect A selector for the validation pattern to use :
  950. * * `auto` Pick best pattern automatically;
  951. * * `pcre8` Use the squiloople.com pattern, requires PCRE > 8.0, PHP >= 5.3.2, 5.2.14;
  952. * * `pcre` Use old PCRE implementation;
  953. * * `php` Use PHP built-in FILTER_VALIDATE_EMAIL;
  954. * * `html5` Use the pattern given by the HTML5 spec for 'email' type form input elements.
  955. * * `noregex` Don't use a regex: super fast, really dumb.
  956. * Alternatively you may pass in a callable to inject your own validator, for example:
  957. * PHPMailer::validateAddress('user@example.com', function($address) {
  958. * return (strpos($address, '@') !== false);
  959. * });
  960. * You can also set the PHPMailer::$validator static to a callable, allowing built-in methods to use your validator.
  961. * @return boolean
  962. * @static
  963. * @access public
  964. */
  965. public static function validateAddress($address, $patternselect = null)
  966. {
  967. if (is_null($patternselect)) {
  968. $patternselect = self::$validator;
  969. }
  970. if (is_callable($patternselect)) {
  971. return call_user_func($patternselect, $address);
  972. }
  973. //Reject line breaks in addresses; it's valid RFC5322, but not RFC5321
  974. if (strpos($address, "\n") !== false or strpos($address, "\r") !== false) {
  975. return false;
  976. }
  977. if (!$patternselect or $patternselect == 'auto') {
  978. //Check this constant first so it works when extension_loaded() is disabled by safe mode
  979. //Constant was added in PHP 5.2.4
  980. if (defined('PCRE_VERSION')) {
  981. //This pattern can get stuck in a recursive loop in PCRE <= 8.0.2
  982. if (version_compare(PCRE_VERSION, '8.0.3') >= 0) {
  983. $patternselect = 'pcre8';
  984. } else {
  985. $patternselect = 'pcre';
  986. }
  987. } elseif (function_exists('extension_loaded') and extension_loaded('pcre')) {
  988. //Fall back to older PCRE
  989. $patternselect = 'pcre';
  990. } else {
  991. //Filter_var appeared in PHP 5.2.0 and does not require the PCRE extension
  992. if (version_compare(PHP_VERSION, '5.2.0') >= 0) {
  993. $patternselect = 'php';
  994. } else {
  995. $patternselect = 'noregex';
  996. }
  997. }
  998. }
  999. switch ($patternselect) {
  1000. case 'pcre8':
  1001. /**
  1002. * Uses the same RFC5322 regex on which FILTER_VALIDATE_EMAIL is based, but allows dotless domains.
  1003. * @link http://squiloople.com/2009/12/20/email-address-validation/
  1004. * @copyright 2009-2010 Michael Rushton
  1005. * Feel free to use and redistribute this code. But please keep this copyright notice.
  1006. */
  1007. return (boolean)preg_match(
  1008. '/^(?!(?>(?1)"?(?>\\\[ -~]|[^"])"?(?1)){255,})(?!(?>(?1)"?(?>\\\[ -~]|[^"])"?(?1)){65,}@)' .
  1009. '((?>(?>(?>((?>(?>(?>\x0D\x0A)?[\t ])+|(?>[\t ]*\x0D\x0A)?[\t ]+)?)(\((?>(?2)' .
  1010. '(?>[\x01-\x08\x0B\x0C\x0E-\'*-\[\]-\x7F]|\\\[\x00-\x7F]|(?3)))*(?2)\)))+(?2))|(?2))?)' .
  1011. '([!#-\'*+\/-9=?^-~-]+|"(?>(?2)(?>[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\x7F]))*' .
  1012. '(?2)")(?>(?1)\.(?1)(?4))*(?1)@(?!(?1)[a-z0-9-]{64,})(?1)(?>([a-z0-9](?>[a-z0-9-]*[a-z0-9])?)' .
  1013. '(?>(?1)\.(?!(?1)[a-z0-9-]{64,})(?1)(?5)){0,126}|\[(?:(?>IPv6:(?>([a-f0-9]{1,4})(?>:(?6)){7}' .
  1014. '|(?!(?:.*[a-f0-9][:\]]){8,})((?6)(?>:(?6)){0,6})?::(?7)?))|(?>(?>IPv6:(?>(?6)(?>:(?6)){5}:' .
  1015. '|(?!(?:.*[a-f0-9]:){6,})(?8)?::(?>((?6)(?>:(?6)){0,4}):)?))?(25[0-5]|2[0-4][0-9]|1[0-9]{2}' .
  1016. '|[1-9]?[0-9])(?>\.(?9)){3}))\])(?1)$/isD',
  1017. $address
  1018. );
  1019. case 'pcre':
  1020. //An older regex that doesn't need a recent PCRE
  1021. return (boolean)preg_match(
  1022. '/^(?!(?>"?(?>\\\[ -~]|[^"])"?){255,})(?!(?>"?(?>\\\[ -~]|[^"])"?){65,}@)(?>' .
  1023. '[!#-\'*+\/-9=?^-~-]+|"(?>(?>[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\xFF]))*")' .
  1024. '(?>\.(?>[!#-\'*+\/-9=?^-~-]+|"(?>(?>[\x01-\x08\x0B\x0C\x0E-!#-\[\]-\x7F]|\\\[\x00-\xFF]))*"))*' .
  1025. '@(?>(?![a-z0-9-]{64,})(?>[a-z0-9](?>[a-z0-9-]*[a-z0-9])?)(?>\.(?![a-z0-9-]{64,})' .
  1026. '(?>[a-z0-9](?>[a-z0-9-]*[a-z0-9])?)){0,126}|\[(?:(?>IPv6:(?>(?>[a-f0-9]{1,4})(?>:' .
  1027. '[a-f0-9]{1,4}){7}|(?!(?:.*[a-f0-9][:\]]){8,})(?>[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,6})?' .
  1028. '::(?>[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,6})?))|(?>(?>IPv6:(?>[a-f0-9]{1,4}(?>:' .
  1029. '[a-f0-9]{1,4}){5}:|(?!(?:.*[a-f0-9]:){6,})(?>[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,4})?' .
  1030. '::(?>(?:[a-f0-9]{1,4}(?>:[a-f0-9]{1,4}){0,4}):)?))?(?>25[0-5]|2[0-4][0-9]|1[0-9]{2}' .
  1031. '|[1-9]?[0-9])(?>\.(?>25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}))\])$/isD',
  1032. $address
  1033. );
  1034. case 'html5':
  1035. /**
  1036. * This is the pattern used in the HTML5 spec for validation of 'email' type form input elements.
  1037. * @link http://www.whatwg.org/specs/web-apps/current-work/#e-mail-state-(type=email)
  1038. */
  1039. return (boolean)preg_match(
  1040. '/^[a-zA-Z0-9.!#$%&\'*+\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}' .
  1041. '[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$/sD',
  1042. $address
  1043. );
  1044. case 'noregex':
  1045. //No PCRE! Do something _very_ approximate!
  1046. //Check the address is 3 chars or longer and contains an @ that's not the first or last char
  1047. return (strlen($address) >= 3
  1048. and strpos($address, '@') >= 1
  1049. and strpos($address, '@') != strlen($address) - 1);
  1050. case 'php':
  1051. default:
  1052. return (boolean)filter_var($address, FILTER_VALIDATE_EMAIL);
  1053. }
  1054. }
  1055. /**
  1056. * Tells whether IDNs (Internationalized Domain Names) are supported or not. This requires the
  1057. * "intl" and "mbstring" PHP extensions.
  1058. * @return bool "true" if required functions for IDN support are present
  1059. */
  1060. public function idnSupported()
  1061. {
  1062. // @TODO: Write our own "idn_to_ascii" function for PHP <= 5.2.
  1063. return function_exists('idn_to_ascii') and function_exists('mb_convert_encoding');
  1064. }
  1065. /**
  1066. * Converts IDN in given email address to its ASCII form, also known as punycode, if possible.
  1067. * Important: Address must be passed in same encoding as currently set in PHPMailer::$CharSet.
  1068. * This function silently returns unmodified address if:
  1069. * - No conversion is necessary (i.e. domain name is not an IDN, or is already in ASCII form)
  1070. * - Conversion to punycode is impossible (e.g. required PHP functions are not available)
  1071. * or fails for any reason (e.g. domain has characters not allowed in an IDN)
  1072. * @see PHPMailer::$CharSet
  1073. * @param string $address The email address to convert
  1074. * @return string The encoded address in ASCII form
  1075. */
  1076. public function punyencodeAddress($address)
  1077. {
  1078. // Verify we have required functions, CharSet, and at-sign.
  1079. if ($this->idnSupported() and
  1080. !empty($this->CharSet) and
  1081. ($pos = strrpos($address, '@')) !== false) {
  1082. $domain = substr($address, ++$pos);
  1083. // Verify CharSet string is a valid one, and domain properly encoded in this CharSet.
  1084. if ($this->has8bitChars($domain) and @mb_check_encoding($domain, $this->CharSet)) {
  1085. $domain = mb_convert_encoding($domain, 'UTF-8', $this->CharSet);
  1086. if (($punycode = defined('INTL_IDNA_VARIANT_UTS46') ?
  1087. idn_to_ascii($domain, 0, INTL_IDNA_VARIANT_UTS46) :
  1088. idn_to_ascii($domain)) !== false) {
  1089. return substr($address, 0, $pos) . $punycode;
  1090. }
  1091. }
  1092. }
  1093. return $address;
  1094. }
  1095. /**
  1096. * Create a message and send it.
  1097. * Uses the sending method specified by $Mailer.
  1098. * @throws phpmailerException
  1099. * @return boolean false on error - See the ErrorInfo property for details of the error.
  1100. */
  1101. public function send()
  1102. {
  1103. try {
  1104. if (!$this->preSend()) {
  1105. return false;
  1106. }
  1107. return $this->postSend();
  1108. } catch (phpmailerException $exc) {
  1109. $this->mailHeader = '';
  1110. $this->setError($exc->getMessage());
  1111. if ($this->exceptions) {
  1112. throw $exc;
  1113. }
  1114. return false;
  1115. }
  1116. }
  1117. /**
  1118. * Prepare a message for sending.
  1119. * @throws phpmailerException
  1120. * @return boolean
  1121. */
  1122. public function preSend()
  1123. {
  1124. try {
  1125. $this->error_count = 0; // Reset errors
  1126. $this->mailHeader = '';
  1127. // Dequeue recipient and Reply-To addresses with IDN
  1128. foreach (array_merge($this->RecipientsQueue, $this->ReplyToQueue) as $params) {
  1129. $params[1] = $this->punyencodeAddress($params[1]);
  1130. call_user_func_array(array($this, 'addAnAddress'), $params);
  1131. }
  1132. if ((count($this->to) + count($this->cc) + count($this->bcc)) < 1) {
  1133. throw new phpmailerException($this->lang('provide_address'), self::STOP_CRITICAL);
  1134. }
  1135. // Validate From, Sender, and ConfirmReadingTo addresses
  1136. foreach (array('From', 'Sender', 'ConfirmReadingTo') as $address_kind) {
  1137. $this->$address_kind = trim($this->$address_kind);
  1138. if (empty($this->$address_kind)) {
  1139. continue;
  1140. }
  1141. $this->$address_kind = $this->punyencodeAddress($this->$address_kind);
  1142. if (!$this->validateAddress($this->$address_kind)) {
  1143. $error_message = $this->lang('invalid_address') . ' (punyEncode) ' . $this->$address_kind;
  1144. $this->setError($error_message);
  1145. $this->edebug($error_message);
  1146. if ($this->exceptions) {
  1147. throw new phpmailerException($error_message);
  1148. }
  1149. return false;
  1150. }
  1151. }
  1152. // Set whether the message is multipart/alternative
  1153. if ($this->alternativeExists()) {
  1154. $this->ContentType = 'multipart/alternative';
  1155. }
  1156. $this->setMessageType();
  1157. // Refuse to send an empty message unless we are specifically allowing it
  1158. if (!$this->AllowEmpty and empty($this->Body)) {
  1159. throw new phpmailerException($this->lang('empty_message'), self::STOP_CRITICAL);
  1160. }
  1161. // Create body before headers in case body makes changes to headers (e.g. altering transfer encoding)
  1162. $this->MIMEHeader = '';
  1163. $this->MIMEBody = $this->createBody();
  1164. // createBody may have added some headers, so retain them
  1165. $tempheaders = $this->MIMEHeader;
  1166. $this->MIMEHeader = $this->createHeader();
  1167. $this->MIMEHeader .= $tempheaders;
  1168. // To capture the complete message when using mail(), create
  1169. // an extra header list which createHeader() doesn't fold in
  1170. if ($this->Mailer == 'mail') {
  1171. if (count($this->to) > 0) {
  1172. $this->mailHeader .= $this->addrAppend('To', $this->to);
  1173. } else {
  1174. $this->mailHeader .= $this->headerLine('To', 'undisclosed-recipients:;');
  1175. }
  1176. $this->mailHeader .= $this->headerLine(
  1177. 'Subject',
  1178. $this->encodeHeader($this->secureHeader(trim($this->Subject)))
  1179. );
  1180. }
  1181. // Sign with DKIM if enabled
  1182. if (!empty($this->DKIM_domain)
  1183. && !empty($this->DKIM_selector)
  1184. && (!empty($this->DKIM_private_string)
  1185. || (!empty($this->DKIM_private) && file_exists($this->DKIM_private))
  1186. )
  1187. ) {
  1188. $header_dkim = $this->DKIM_Add(
  1189. $this->MIMEHeader . $this->mailHeader,
  1190. $this->encodeHeader($this->secureHeader($this->Subject)),
  1191. $this->MIMEBody
  1192. );
  1193. $this->MIMEHeader = rtrim($this->MIMEHeader, "\r\n ") . self::CRLF .
  1194. str_replace("\r\n", "\n", $header_dkim) . self::CRLF;
  1195. }
  1196. return true;
  1197. } catch (phpmailerException $exc) {
  1198. $this->setError($exc->getMessage());
  1199. if ($this->exceptions) {
  1200. throw $exc;
  1201. }
  1202. return false;
  1203. }
  1204. }
  1205. /**
  1206. * Actually send a message.
  1207. * Send the email via the selected mechanism
  1208. * @throws phpmailerException
  1209. * @return boolean
  1210. */
  1211. public function postSend()
  1212. {
  1213. try {
  1214. // Choose the mailer and send through it
  1215. switch ($this->Mailer) {
  1216. case 'sendmail':
  1217. case 'qmail':
  1218. return $this->sendmailSend($this->MIMEHeader, $this->MIMEBody);
  1219. case 'smtp':
  1220. return $this->smtpSend($this->MIMEHeader, $this->MIMEBody);
  1221. case 'mail':
  1222. return $this->mailSend($this->MIMEHeader, $this->MIMEBody);
  1223. default:
  1224. $sendMethod = $this->Mailer.'Send';
  1225. if (method_exists($this, $sendMethod)) {
  1226. return $this->$sendMethod($this->MIMEHeader, $this->MIMEBody);
  1227. }
  1228. return $this->mailSend($this->MIMEHeader, $this->MIMEBody);
  1229. }
  1230. } catch (phpmailerException $exc) {
  1231. $this->setError($exc->getMessage());
  1232. $this->edebug($exc->getMessage());
  1233. if ($this->exceptions) {
  1234. throw $exc;
  1235. }
  1236. }
  1237. return false;
  1238. }
  1239. /**
  1240. * Send mail using the $Sendmail program.
  1241. * @param string $header The message headers
  1242. * @param string $body The message body
  1243. * @see PHPMailer::$Sendmail
  1244. * @throws phpmailerException
  1245. * @access protected
  1246. * @return boolean
  1247. */
  1248. protected function sendmailSend($header, $body)
  1249. {
  1250. // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
  1251. if (!empty($this->Sender) and self::isShellSafe($this->Sender)) {
  1252. if ($this->Mailer == 'qmail') {
  1253. $sendmailFmt = '%s -f%s';
  1254. } else {
  1255. $sendmailFmt = '%s -oi -f%s -t';
  1256. }
  1257. } else {
  1258. if ($this->Mailer == 'qmail') {
  1259. $sendmailFmt = '%s';
  1260. } else {
  1261. $sendmailFmt = '%s -oi -t';
  1262. }
  1263. }
  1264. // TODO: If possible, this should be changed to escapeshellarg. Needs thorough testing.
  1265. $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
  1266. if ($this->SingleTo) {
  1267. foreach ($this->SingleToArray as $toAddr) {
  1268. if (!@$mail = popen($sendmail, 'w')) {
  1269. throw new phpmailerException($this->lang('execute') . $this->Sendmail, self::STOP_CRITICAL);
  1270. }
  1271. fputs($mail, 'To: ' . $toAddr . "\n");
  1272. fputs($mail, $header);
  1273. fputs($mail, $body);
  1274. $result = pclose($mail);
  1275. $this->doCallback(
  1276. ($result == 0),
  1277. array($toAddr),
  1278. $this->cc,
  1279. $this->bcc,
  1280. $this->Subject,
  1281. $body,
  1282. $this->From
  1283. );
  1284. if ($result != 0) {
  1285. throw new phpmailerException($this->lang('execute') . $this->Sendmail, self::STOP_CRITICAL);
  1286. }
  1287. }
  1288. } else {
  1289. if (!@$mail = popen($sendmail, 'w')) {
  1290. throw new phpmailerException($this->lang('execute') . $this->Sendmail, self::STOP_CRITICAL);
  1291. }
  1292. fputs($mail, $header);
  1293. fputs($mail, $body);
  1294. $result = pclose($mail);
  1295. $this->doCallback(
  1296. ($result == 0),
  1297. $this->to,
  1298. $this->cc,
  1299. $this->bcc,
  1300. $this->Subject,
  1301. $body,
  1302. $this->From
  1303. );
  1304. if ($result != 0) {
  1305. throw new phpmailerException($this->lang('execute') . $this->Sendmail, self::STOP_CRITICAL);
  1306. }
  1307. }
  1308. return true;
  1309. }
  1310. /**
  1311. * Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters.
  1312. *
  1313. * Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
  1314. * @param string $string The string to be validated
  1315. * @see https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
  1316. * @access protected
  1317. * @return boolean
  1318. */
  1319. protected static function isShellSafe($string)
  1320. {
  1321. // Future-proof
  1322. if (escapeshellcmd($string) !== $string
  1323. or !in_array(escapeshellarg($string), array("'$string'", "\"$string\""))
  1324. ) {
  1325. return false;
  1326. }
  1327. $length = strlen($string);
  1328. for ($i = 0; $i < $length; $i++) {
  1329. $c = $string[$i];
  1330. // All other characters have a special meaning in at least one common shell, including = and +.
  1331. // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
  1332. // Note that this does permit non-Latin alphanumeric characters based on the current locale.
  1333. if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
  1334. return false;
  1335. }
  1336. }
  1337. return true;
  1338. }
  1339. /**
  1340. * Send mail using the PHP mail() function.
  1341. * @param string $header T…

Large files files are truncated, but you can click here to view the full file