1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
diff -Naurp PHPMailer-acba50393dd03da69a50226c139722af8b153b11.orig/class.phpmailer.php PHPMailer-acba50393dd03da69a50226c139722af8b153b11.new/class.phpmailer.php
--- PHPMailer-acba50393dd03da69a50226c139722af8b153b11.orig/class.phpmailer.php 2020-06-20 23:41:09.301467536 +0200
+++ PHPMailer-acba50393dd03da69a50226c139722af8b153b11.new/class.phpmailer.php 2020-06-21 00:12:06.174576353 +0200
@@ -2621,9 +2621,9 @@ class PHPMailer
//Only include a filename property if we have one
if (!empty($name)) {
$mime[] = sprintf(
- 'Content-Type: %s; name="%s"%s',
+ 'Content-Type: %s; name=%s%s',
$type,
- $this->encodeHeader($this->secureHeader($name)),
+ self::quotedString($this->encodeHeader($this->secureHeader($name))),
$this->LE
);
} else {
@@ -2642,34 +2642,22 @@ class PHPMailer
$mime[] = sprintf('Content-ID: <%s>%s', $cid, $this->LE);
}
- // If a filename contains any of these chars, it should be quoted,
- // but not otherwise: RFC2183 & RFC2045 5.1
- // Fixes a warning in IETF's msglint MIME checker
- // Allow for bypassing the Content-Disposition header totally
+ // Allow for bypassing the Content-Disposition header
if (!(empty($disposition))) {
$encoded_name = $this->encodeHeader($this->secureHeader($name));
- if (preg_match('/[ \(\)<>@,;:\\"\/\[\]\?=]/', $encoded_name)) {
+ if (!empty($encoded_name)) {
$mime[] = sprintf(
- 'Content-Disposition: %s; filename="%s"%s',
+ 'Content-Disposition: %s; filename=%s%s',
$disposition,
- $encoded_name,
+ self::quotedString($encoded_name),
$this->LE . $this->LE
);
} else {
- if (!empty($encoded_name)) {
- $mime[] = sprintf(
- 'Content-Disposition: %s; filename=%s%s',
- $disposition,
- $encoded_name,
- $this->LE . $this->LE
- );
- } else {
- $mime[] = sprintf(
- 'Content-Disposition: %s%s',
- $disposition,
- $this->LE . $this->LE
- );
- }
+ $mime[] = sprintf(
+ 'Content-Disposition: %s%s',
+ $disposition,
+ $this->LE . $this->LE
+ );
}
} else {
$mime[] = $this->LE;
@@ -3974,6 +3962,28 @@ class PHPMailer
}
/**
+ * If a string contains any "special" characters, double-quote the name,
+ * and escape any double quotes with a backslash.
+ *
+ * @param string $str
+ *
+ * @return string
+ *
+ * @see RFC822 3.4.1
+ */
+ public static function quotedString($str)
+ {
+ if (preg_match('/[ ()<>@,;:"\/\[\]?=]/', $str)) {
+ //If the string contains any of these chars, it must be double-quoted
+ //and any double quotes must be escaped with a backslash
+ return '"' . str_replace('"', '\\"', $str) . '"';
+ }
+
+ //Return the string untouched, it doesn't need quoting
+ return $str;
+ }
+
+ /**
* Allows for public read access to 'to' property.
* @note: Before the send() call, queued addresses (i.e. with IDN) are not yet included.
* @access public
|
