Skip to content

Q
question2answer
Commit efa71d7b by Scott
Options

Upgrade dependencies 

jQuery 3.5.1
htmLawed 1.2.5
PHPMailer 5.2.28
parent 86428766
Showing with 38 additions and 18 deletions
qa-include/app/page.php
...@@ -798,7 +798,7 @@ function qa_content_prepare($voting = false, $categoryids = array()) ...@@ -798,7 +798,7 @@ function qa_content_prepare($voting = false, $categoryids = array())
} }
} }
$qa_content['script_rel'] = array('qa-content/jquery-3.3.1.min.js'); $qa_content['script_rel'] = array('qa-content/jquery-3.5.1.min.js');
$qa_content['script_rel'][] = 'qa-content/qa-global.js?' . QA_VERSION; $qa_content['script_rel'][] = 'qa-content/qa-global.js?' . QA_VERSION;
if ($voting) if ($voting)
......
qa-include/vendor/PHPMailer/class.phpmailer.php
...@@ -31,7 +31,7 @@ class PHPMailer ...@@ -31,7 +31,7 @@ class PHPMailer
* The PHPMailer Version number. * The PHPMailer Version number.
* @var string * @var string
*/ */
public $Version = '5.2.26'; public $Version = '5.2.28';
/** /**
* Email priority. * Email priority.
...@@ -1296,9 +1296,12 @@ class PHPMailer ...@@ -1296,9 +1296,12 @@ class PHPMailer
// Sign with DKIM if enabled // Sign with DKIM if enabled
if (!empty($this->DKIM_domain) if (!empty($this->DKIM_domain)
&& !empty($this->DKIM_selector) and !empty($this->DKIM_selector)
&& (!empty($this->DKIM_private_string) and (!empty($this->DKIM_private_string)
|| (!empty($this->DKIM_private) && file_exists($this->DKIM_private)) or (!empty($this->DKIM_private)
and self::isPermittedPath($this->DKIM_private)
and file_exists($this->DKIM_private)
)
) )
) { ) {
$header_dkim = $this->DKIM_Add( $header_dkim = $this->DKIM_Add(
...@@ -1464,6 +1467,18 @@ class PHPMailer ...@@ -1464,6 +1467,18 @@ class PHPMailer
} }
/** /**
* Check whether a file path is of a permitted type.
* Used to reject URLs and phar files from functions that access local file paths,
* such as addAttachment.
* @param string $path A relative or absolute path to a file.
* @return bool
*/
protected static function isPermittedPath($path)
{
return !preg_match('#^[a-z]+://#i', $path);
}
/**
* Send mail using the PHP mail() function. * Send mail using the PHP mail() function.
* @param string $header The message headers * @param string $header The message headers
* @param string $body The message body * @param string $body The message body
...@@ -1791,7 +1806,7 @@ class PHPMailer ...@@ -1791,7 +1806,7 @@ class PHPMailer
// There is no English translation file // There is no English translation file
if ($langcode != 'en') { if ($langcode != 'en') {
// Make sure language file path is readable // Make sure language file path is readable
if (!is_readable($lang_file)) { if (!self::isPermittedPath($lang_file) or !is_readable($lang_file)) {
$foundlang = false; $foundlang = false;
} else { } else {
// Overwrite language-specific strings. // Overwrite language-specific strings.
...@@ -2499,6 +2514,8 @@ class PHPMailer ...@@ -2499,6 +2514,8 @@ class PHPMailer
* Add an attachment from a path on the filesystem. * Add an attachment from a path on the filesystem.
* Never use a user-supplied path to a file! * Never use a user-supplied path to a file!
* Returns false if the file could not be found or read. * Returns false if the file could not be found or read.
* Explicitly *does not* support passing URLs; PHPMailer is not an HTTP client.
* If you need to do that, fetch the resource yourself and pass it in via a local file or string.
* @param string $path Path to the attachment. * @param string $path Path to the attachment.
* @param string $name Overrides the attachment name. * @param string $name Overrides the attachment name.
* @param string $encoding File encoding (see $Encoding). * @param string $encoding File encoding (see $Encoding).
...@@ -2510,7 +2527,7 @@ class PHPMailer ...@@ -2510,7 +2527,7 @@ class PHPMailer
public function addAttachment($path, $name = '', $encoding = 'base64', $type = '', $disposition = 'attachment') public function addAttachment($path, $name = '', $encoding = 'base64', $type = '', $disposition = 'attachment')
{ {
try { try {
if (!@is_file($path)) { if (!self::isPermittedPath($path) or !@is_file($path)) {
throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE); throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE);
} }
...@@ -2691,10 +2708,13 @@ class PHPMailer ...@@ -2691,10 +2708,13 @@ class PHPMailer
protected function encodeFile($path, $encoding = 'base64') protected function encodeFile($path, $encoding = 'base64')
{ {
try { try {
if (!is_readable($path)) { if (!self::isPermittedPath($path) or !file_exists($path)) {
throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE); throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE);
} }
$magic_quotes = get_magic_quotes_runtime(); $magic_quotes = false;
if( version_compare(PHP_VERSION, '7.4.0', '<') ) {
$magic_quotes = get_magic_quotes_runtime();
}
if ($magic_quotes) { if ($magic_quotes) {
if (version_compare(PHP_VERSION, '5.3.0', '<')) { if (version_compare(PHP_VERSION, '5.3.0', '<')) {
set_magic_quotes_runtime(false); set_magic_quotes_runtime(false);
...@@ -3035,7 +3055,7 @@ class PHPMailer ...@@ -3035,7 +3055,7 @@ class PHPMailer
*/ */
public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline') public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline')
{ {
if (!@is_file($path)) { if (!self::isPermittedPath($path) or !@is_file($path)) {
$this->setError($this->lang('file_access') . $path); $this->setError($this->lang('file_access') . $path);
return false; return false;
} }
......
qa-include/vendor/PHPMailer/class.smtp.php
...@@ -30,7 +30,7 @@ class SMTP ...@@ -30,7 +30,7 @@ class SMTP
* The PHPMailer SMTP version number. * The PHPMailer SMTP version number.
* @var string * @var string
*/ */
const VERSION = '5.2.26'; const VERSION = '5.2.28';
/** /**
* SMTP line break constant. * SMTP line break constant.
...@@ -81,7 +81,7 @@ class SMTP ...@@ -81,7 +81,7 @@ class SMTP
* @deprecated Use the `VERSION` constant instead * @deprecated Use the `VERSION` constant instead
* @see SMTP::VERSION * @see SMTP::VERSION
*/ */
public $Version = '5.2.26'; public $Version = '5.2.28';
/** /**
* SMTP server port number. * SMTP server port number.
......
qa-include/vendor/htmLawed.php
<?php <?php
/* /*
htmLawed 1.2.4.1, 12 September 2017 htmLawed 1.2.5, 24 September 2019
Copyright Santosh Patnaik Copyright Santosh Patnaik
Dual licensed with LGPL 3 and GPL 2+ Dual licensed with LGPL 3 and GPL 2+
A PHP Labware internal utility - www.bioinformatics.org/phplabware/internal_utilities/htmLawed A PHP Labware internal utility - www.bioinformatics.org/phplabware/internal_utilities/htmLawed
...@@ -43,7 +43,7 @@ $C['deny_attribute'] = $x; ...@@ -43,7 +43,7 @@ $C['deny_attribute'] = $x;
// config URLs // config URLs
$x = (isset($C['schemes'][2]) && strpos($C['schemes'], ':')) ? strtolower($C['schemes']) : 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet'. (empty($C['safe']) ? ', app, javascript; *: data, javascript, ' : '; *:'). 'file, http, https'; $x = (isset($C['schemes'][2]) && strpos($C['schemes'], ':')) ? strtolower($C['schemes']) : 'href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, tel, telnet'. (empty($C['safe']) ? ', app, javascript; *: data, javascript, ' : '; *:'). 'file, http, https';
$C['schemes'] = array(); $C['schemes'] = array();
foreach(explode(';', str_replace(array(' ', "\t", "\r", "\n"), '', $x)) as $v){ foreach(explode(';', trim(str_replace(array(' ', "\t", "\r", "\n"), '', $x), ';')) as $v){
$x = $x2 = null; list($x, $x2) = explode(':', $v, 2); $x = $x2 = null; list($x, $x2) = explode(':', $v, 2);
if($x2){$C['schemes'][$x] = array_flip(explode(',', $x2));} if($x2){$C['schemes'][$x] = array_flip(explode(',', $x2));}
} }
...@@ -390,7 +390,7 @@ $s = array(); ...@@ -390,7 +390,7 @@ $s = array();
if(!function_exists('hl_aux1')){function hl_aux1($m){ if(!function_exists('hl_aux1')){function hl_aux1($m){
return substr(str_replace(array(";", "|", "~", " ", ",", "/", "(", ")", '`"'), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", '"'), $m[0]), 1, -1); return substr(str_replace(array(";", "|", "~", " ", ",", "/", "(", ")", '`"'), array("\x01", "\x02", "\x03", "\x04", "\x05", "\x06", "\x07", "\x08", '"'), $m[0]), 1, -1);
}} }}
$t = str_replace(array("\t", "\r", "\n", ' '), '', preg_replace_callback('/"(?>(`.|[^"])*)"/sm', 'hl_aux1', trim($t))); $t = str_replace(array("\t", "\r", "\n", ' '), '', preg_replace_callback('/"(?>(`.|[^"])*)"/sm', 'hl_aux1', trim($t)));
for($i = count(($t = explode(';', $t))); --$i>=0;){ for($i = count(($t = explode(';', $t))); --$i>=0;){
$w = $t[$i]; $w = $t[$i];
if(empty($w) or ($e = strpos($w, '=')) === false or !strlen(($a = substr($w, $e+1)))){continue;} if(empty($w) or ($e = strpos($w, '=')) === false or !strlen(($a = substr($w, $e+1)))){continue;}
...@@ -652,11 +652,11 @@ if($e == 'font'){ ...@@ -652,11 +652,11 @@ if($e == 'font'){
$a2 = ''; $a2 = '';
while(preg_match('`(^|\s)(color|size)\s*=\s*(\'|")?(.+?)(\\3|\s|$)`i', $a, $m)){ while(preg_match('`(^|\s)(color|size)\s*=\s*(\'|")?(.+?)(\\3|\s|$)`i', $a, $m)){
$a = str_replace($m[0], ' ', $a); $a = str_replace($m[0], ' ', $a);
$a2 .= strtolower($m[2]) == 'color' ? (' color: '. str_replace('"', '\'', trim($m[4])). ';') : (isset($fs[($m = trim($m[4]))]) ? ($a2 .= ' font-size: '. str_replace('"', '\'', $fs[$m]). ';') : ''); $a2 .= strtolower($m[2]) == 'color' ? (' color: '. str_replace(array('"', ';', ':'), '\'', trim($m[4])). ';') : (isset($fs[($m = trim($m[4]))]) ? (' font-size: '. $fs[$m]. ';') : '');
} }
while(preg_match('`(^|\s)face\s*=\s*(\'|")?([^=]+?)\\2`i', $a, $m) or preg_match('`(^|\s)face\s*=(\s*)(\S+)`i', $a, $m)){ while(preg_match('`(^|\s)face\s*=\s*(\'|")?([^=]+?)\\2`i', $a, $m) or preg_match('`(^|\s)face\s*=(\s*)(\S+)`i', $a, $m)){
$a = str_replace($m[0], ' ', $a); $a = str_replace($m[0], ' ', $a);
$a2 .= ' font-family: '. str_replace('"', '\'', trim($m[3])). ';'; $a2 .= ' font-family: '. str_replace(array('"', ';', ':'), '\'', trim($m[3])). ';';
} }
$e = 'span'; return ltrim(str_replace('<', '', $a2)); $e = 'span'; return ltrim(str_replace('<', '', $a2));
} }
...@@ -725,5 +725,5 @@ return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array( ...@@ -725,5 +725,5 @@ return str_replace(array("\x01", "\x02", "\x03", "\x04", "\x05", "\x07"), array(
function hl_version(){ function hl_version(){
// version // version
return '1.2.4.1'; return '1.2.5';
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment