[wp-trac] [WordPress Trac] #40576: Sending emails broken in 4.7.2

WordPress Trac noreply at wordpress.org
Mon May 1 02:46:03 UTC 2017


#40576: Sending emails broken in 4.7.2
--------------------------------+------------------------------
 Reporter:  pavelevap           |       Owner:
     Type:  defect (bug)        |      Status:  new
 Priority:  normal              |   Milestone:  Awaiting Review
Component:  External Libraries  |     Version:  4.7.2
 Severity:  normal              |  Resolution:
 Keywords:  close               |     Focuses:
--------------------------------+------------------------------
Changes (by dd32):

 * keywords:  has-patch => close
 * component:  Mail => External Libraries
 * milestone:  4.7.5 => Awaiting Review


Comment:

 Unfortunately simply switching from `escapeshellcmd()` to
 `escapeshellarg()` isn't viable here, and likely introduces security
 concerns. They were introduced to fix the issues surrounging
 CVE-2016-10033 & CVE-2016-10045.

 https://github.com/PHPMailer/PHPMailer/issues/966 &
 https://github.com/PHPMailer/PHPMailer/issues/948 are the upstream issues
 for this problem, which have unfortunately been closed as wontfix.

 `escapeshelllcmd()` does not introduce any security implications for an
 install, and is used to protect against them instead - the ideal solution
 here will be for you contacting your host and asking them to remove that
 from the `disable_functions` list, as they're specifically preventing us
 from sending email securely.

 If you wish to attempt to fix this, it should be fixed
 [https://github.com/PHPMailer/PHPMailer upstream within PHPMailer], and
 not within WordPress directly.

 I'm removing this from the 4.7.x milestone as it's not something we can
 fix directly, and can be milestoned in the event a new PHPMailer build
 becomes available which can be used here.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/40576#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list