From b74497373a8d9099216f271cbbe21b7b08387661 Mon Sep 17 00:00:00 2001 From: Marcus Bointon Date: Sat, 15 Feb 2020 14:16:15 +0100 Subject: [PATCH] DKIM tweaks, see #1962, #1964, #1965 --- src/PHPMailer.php | 59 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 42 insertions(+), 17 deletions(-) diff --git a/src/PHPMailer.php b/src/PHPMailer.php index 127f2b79b..e0e146541 100644 --- a/src/PHPMailer.php +++ b/src/PHPMailer.php @@ -769,11 +769,22 @@ class PHPMailer const STOP_CRITICAL = 2; /** - * SMTP RFC standard line ending. + * The SMTP standard CRLF line break. + * If you want to change line break format, change static::$LE, not this. + */ + const CRLF = "\r\n"; + + /** + * "Folding White Space" a white space string used for line folding. + */ + const FWS = ' '; + + /** + * SMTP RFC standard line ending; Carriage Return, Line Feed. * * @var string */ - protected static $LE = "\r\n"; + protected static $LE = self::CRLF; /** * The maximum line length supported by mail(). @@ -1446,7 +1457,7 @@ public function preSend() ) { //SMTP mandates RFC-compliant line endings //and it's also used with mail() on Windows - static::setLE("\r\n"); + static::setLE(self::CRLF); } else { //Maintain backward compatibility with legacy Linux command line mailers static::setLE(PHP_EOL); @@ -1553,7 +1564,7 @@ public function preSend() $this->encodeHeader($this->secureHeader($this->Subject)), $this->MIMEBody ); - $this->MIMEHeader = rtrim($this->MIMEHeader, "\r\n ") . static::$LE . + $this->MIMEHeader = static::stripTrailingWSP($this->MIMEHeader) . static::$LE . static::normalizeBreaks($header_dkim) . static::$LE; } @@ -1620,7 +1631,7 @@ public function postSend() */ protected function sendmailSend($header, $body) { - $header = rtrim($header, "\r\n ") . static::$LE . static::$LE; + $header = static::stripTrailingWSP($header) . static::$LE . static::$LE; // CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped. if (!empty($this->Sender) && self::isShellSafe($this->Sender)) { @@ -1750,7 +1761,7 @@ protected static function isPermittedPath($path) */ protected function mailSend($header, $body) { - $header = rtrim($header, "\r\n ") . static::$LE . static::$LE; + $header = static::stripTrailingWSP($header) . static::$LE . static::$LE; $toArr = []; foreach ($this->to as $toaddr) { @@ -1839,7 +1850,7 @@ public function setSMTPInstance(SMTP $smtp) */ protected function smtpSend($header, $body) { - $header = rtrim($header, "\r\n ") . static::$LE . static::$LE; + $header = static::stripTrailingWSP($header) . static::$LE . static::$LE; $bad_rcpt = []; if (!$this->smtpConnect($this->SMTPOptions)) { throw new Exception($this->lang('smtp_connect_failed'), self::STOP_CRITICAL); @@ -2511,7 +2522,8 @@ public function getMailMIME() */ public function getSentMIMEMessage() { - return rtrim($this->MIMEHeader . $this->mailHeader, "\n\r") . static::$LE . static::$LE . $this->MIMEBody; + return static::stripTrailingWSP($this->MIMEHeader . $this->mailHeader) . + static::$LE . static::$LE . $this->MIMEBody; } /** @@ -4355,7 +4367,7 @@ public static function normalizeBreaks($text, $breaktype = null) $breaktype = static::$LE; } // Normalise to \n - $text = str_replace(["\r\n", "\r"], "\n", $text); + $text = str_replace([self::CRLF, "\r"], "\n", $text); // Now convert LE as needed if ("\n" !== $breaktype) { $text = str_replace("\n", $breaktype, $text); @@ -4364,6 +4376,18 @@ public static function normalizeBreaks($text, $breaktype = null) return $text; } + /** + * Remove trailing breaks from a string + * + * @param string $text + * + * @return string The text to remove breaks from. + */ + public static function stripTrailingWSP($text) + { + return rtrim($text, " \r\n\t"); + } + /** * Return the current line break format string. * @@ -4478,7 +4502,7 @@ public function DKIM_HeaderC($signHeader) //Unfold header lines $signHeader = preg_replace('/\r\n[ \t]+/', ' ', $signHeader); //Break headers out into an array - $lines = explode("\r\n", $signHeader); + $lines = explode(self::CRLF, static::normalizeBreaks($signHeader, self::CRLF)); foreach ($lines as $key => $line) { //If the header is missing a :, skip it as it's invalid //This is likely to happen because the explode() above will also split @@ -4498,7 +4522,7 @@ public function DKIM_HeaderC($signHeader) $lines[$key] = trim($heading, " \t") . ':' . trim($value, " \t"); } - return implode("\r\n", $lines); + return implode(self::CRLF, $lines); } /** @@ -4515,13 +4539,13 @@ public function DKIM_HeaderC($signHeader) public function DKIM_BodyC($body) { if (empty($body)) { - return "\r\n"; + return self::CRLF; } // Normalize line endings to CRLF - $body = static::normalizeBreaks($body, "\r\n"); + $body = static::normalizeBreaks($body, self::CRLF); //Reduce multiple trailing line breaks to a single one - return rtrim($body, "\r\n") . "\r\n"; + return static::stripTrailingWSP($body) . self::CRLF; } /** @@ -4542,6 +4566,7 @@ public function DKIM_Add($headers_line, $subject, $body) $DKIMquery = 'dns/txt'; // Query method $DKIMtime = time(); //Always sign these headers without being asked + //Recommended list from https://tools.ietf.org/html/rfc6376#section-5.4.1 $autoSignHeaders = [ 'From', 'To', @@ -4625,9 +4650,9 @@ public function DKIM_Add($headers_line, $subject, $body) //Fold long values if (strlen($copiedHeader) > self::STD_LINE_LENGTH - 3) { $copiedHeaderFields .= substr( - chunk_split($copiedHeader, self::STD_LINE_LENGTH - 3, static::$LE . ' '), + chunk_split($copiedHeader, self::STD_LINE_LENGTH - 3, static::$LE . self::FWS), 0, - -strlen(static::$LE . ' ') + -strlen(static::$LE . self::FWS) ); } else { $copiedHeaderFields .= $copiedHeader; @@ -4666,7 +4691,7 @@ public function DKIM_Add($headers_line, $subject, $body) $headerValues . static::$LE . $dkimSignatureHeader ); $signature = $this->DKIM_Sign($canonicalizedHeaders); - $signature = trim(chunk_split($signature, self::STD_LINE_LENGTH - 3, static::$LE . ' ')); + $signature = trim(chunk_split($signature, self::STD_LINE_LENGTH - 3, static::$LE . self::FWS)); return static::normalizeBreaks($dkimSignatureHeader . $signature) . static::$LE; }