2 files changed, 96 insertions, 1 deletions

diff --git a/PHPMailer-5.2.28-cve2020-13625.patch b/PHPMailer-5.2.28-cve2020-13625.patch
new file mode 100644
index 0000000..7063ed4
--- /dev/null
+++ b/PHPMailer-5.2.28-cve2020-13625.patch
@@ -0,0 +1,88 @@
+diff -Naurp PHPMailer-acba50393dd03da69a50226c139722af8b153b11.orig/class.phpmailer.php PHPMailer-acba50393dd03da69a50226c139722af8b153b11.new/class.phpmailer.php
+--- PHPMailer-acba50393dd03da69a50226c139722af8b153b11.orig/class.phpmailer.php	2020-06-20 23:41:09.301467536 +0200
++++ PHPMailer-acba50393dd03da69a50226c139722af8b153b11.new/class.phpmailer.php	2020-06-21 00:12:06.174576353 +0200
+@@ -2621,9 +2621,9 @@ class PHPMailer
+                 //Only include a filename property if we have one
+                 if (!empty($name)) {
+                     $mime[] = sprintf(
+-                        'Content-Type: %s; name="%s"%s',
++                        'Content-Type: %s; name=%s%s',
+                         $type,
+-                        $this->encodeHeader($this->secureHeader($name)),
++                        self::quotedString($this->encodeHeader($this->secureHeader($name))),
+                         $this->LE
+                     );
+                 } else {
+@@ -2642,34 +2642,22 @@ class PHPMailer
+                     $mime[] = sprintf('Content-ID: <%s>%s', $cid, $this->LE);
+                 }
+ 
+-                // If a filename contains any of these chars, it should be quoted,
+-                // but not otherwise: RFC2183 & RFC2045 5.1
+-                // Fixes a warning in IETF's msglint MIME checker
+-                // Allow for bypassing the Content-Disposition header totally
++                // Allow for bypassing the Content-Disposition header
+                 if (!(empty($disposition))) {
+                     $encoded_name = $this->encodeHeader($this->secureHeader($name));
+-                    if (preg_match('/[ \(\)<>@,;:\\"\/\[\]\?=]/', $encoded_name)) {
++                    if (!empty($encoded_name)) {
+                         $mime[] = sprintf(
+-                            'Content-Disposition: %s; filename="%s"%s',
++                            'Content-Disposition: %s; filename=%s%s',
+                             $disposition,
+-                            $encoded_name,
++                            self::quotedString($encoded_name),
+                             $this->LE . $this->LE
+                         );
+                     } else {
+-                        if (!empty($encoded_name)) {
+-                            $mime[] = sprintf(
+-                                'Content-Disposition: %s; filename=%s%s',
+-                                $disposition,
+-                                $encoded_name,
+-                                $this->LE . $this->LE
+-                            );
+-                        } else {
+-                            $mime[] = sprintf(
+-                                'Content-Disposition: %s%s',
+-                                $disposition,
+-                                $this->LE . $this->LE
+-                            );
+-                        }
++                        $mime[] = sprintf(
++                            'Content-Disposition: %s%s',
++                            $disposition,
++                            $this->LE . $this->LE
++                        );
+                     }
+                 } else {
+                     $mime[] = $this->LE;
+@@ -3974,6 +3962,28 @@ class PHPMailer
+     }
+ 
+     /**
++     * If a string contains any "special" characters, double-quote the name,
++     * and escape any double quotes with a backslash.
++     *
++     * @param string $str
++     *
++     * @return string
++     *
++     * @see RFC822 3.4.1
++     */
++    public static function quotedString($str)
++    {
++        if (preg_match('/[ ()<>@,;:"\/\[\]?=]/', $str)) {
++            //If the string contains any of these chars, it must be double-quoted
++            //and any double quotes must be escaped with a backslash
++            return '"' . str_replace('"', '\\"', $str) . '"';
++        }
++
++        //Return the string untouched, it doesn't need quoting
++        return $str;
++    }
++
++    /**
+      * Allows for public read access to 'to' property.
+      * @note: Before the send() call, queued addresses (i.e. with IDN) are not yet included.
+      * @access public
diff --git a/php-PHPMailer.spec b/php-PHPMailer.spec
index e770d29..6166a86 100644
--- a/php-PHPMailer.spec
+++ b/php-PHPMailer.spec
@@ -17,7 +17,7 @@
 Name:		php-PHPMailer
 Summary:	PHP email transport class with a lot of features
 Version:	5.2.28
-Release:	1%{?dist}
+Release:	2%{?dist}
 License:	LGPLv2+
 URL:		https://github.com/%{github_user}/%{github_app}
 
@@ -26,6 +26,7 @@ Source0:	https://github.com/%{github_user}/%{github_app}/archive/%{github_tag}/%
 # Fix language default path
 # Don't rely on autoloader (for app which overides __construct)
 Patch0:		%{github_app}-path.patch
+Patch1:		%{github_app}-5.2.28-cve2020-13625.patch
 
 Buildarch:	noarch
 
@@ -77,6 +78,7 @@ Full Featured Email Transfer Class for PHP. PHPMailer features:
 %setup -q -n %{arch_name}
 
 %patch0 -p1 -b .rpm
+%patch1 -p1 -b .cve2020-13625
 
 
 #-------------------------------------------------------------------------------
@@ -139,6 +141,11 @@ version_compare($mailer->Version, "%{version}", "=") or exit(1);
 
 
 %changelog
+* Sun Jun 21 2020 Patrick Monnerat <patrick@monnerat.net> 5.2.28-2
+- Patch "cve2020-13625" fixes CVE-2020-13625 vulnerability. This is a backport
+  of https://github.com/PHPMailer/PHPMailer/commit/c2796cb.
+  https://bugzilla.redhat.com/show_bug.cgi?id=1848842
+
 * Thu Mar 19 2020 Remi Collet <remi@remirepo.net> - 5.2.28-1
 - update to 5.2.28