From c4defc8bc76fc21dcafbb1ba280d33774c57bc6f Mon Sep 17 00:00:00 2001
From: Peter Wilson <wilson@peterwilson.cc>
Date: Wed, 12 May 2021 22:27:53 +0000
Subject: [PATCH] External libraries: Improve attachment handling in PHPMailer

Props: audrasjb, ayeshrajans, desrosj, peterwilsoncc, xknown.
Partially merges [50799] to the 5.4 branch.


Built from https://develop.svn.wordpress.org/branches/5.4@50850


git-svn-id: http://core.svn.wordpress.org/branches/5.4@50459 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/class-phpmailer.php | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/wp-includes/class-phpmailer.php b/wp-includes/class-phpmailer.php
index 30754a4e6c..5dbec95d3a 100644
--- a/wp-includes/class-phpmailer.php
+++ b/wp-includes/class-phpmailer.php
@@ -1475,7 +1475,28 @@ class PHPMailer
      */
     protected static function isPermittedPath($path)
     {
-        return !preg_match('#^[a-z]+://#i', $path);
+        //Matches scheme definition from https://tools.ietf.org/html/rfc3986#section-3.1
+        return !preg_match('#^[a-z][a-z\d+.-]*://#i', $path);
+    }
+
+    /**
+     * Check whether a file path is safe, accessible, and readable.
+     *
+     * @param string $path A relative or absolute path to a file
+     *
+     * @return bool
+     */
+    protected static function fileIsAccessible($path)
+    {
+        if (!static::isPermittedPath($path)) {
+                return false;
+        }
+        $readable = file_exists($path);
+        //If not a UNC path (expected to start with \\), check read permission, see #2069
+        if (strpos($path, '\\\\') !== 0) {
+            $readable = $readable && is_readable($path);
+        }
+        return $readable;
     }
 
     /**
@@ -1807,7 +1828,7 @@ class PHPMailer
         // There is no English translation file
         if ($langcode != 'en') {
             // Make sure language file path is readable
-            if (!self::isPermittedPath($lang_file) or !is_readable($lang_file)) {
+            if (!static::fileIsAccessible($lang_file)) {
                 $foundlang = false;
             } else {
                 // Overwrite language-specific strings.
@@ -2528,7 +2549,7 @@ class PHPMailer
     public function addAttachment($path, $name = '', $encoding = 'base64', $type = '', $disposition = 'attachment')
     {
         try {
-            if (!self::isPermittedPath($path) or !@is_file($path)) {
+            if (!static::fileIsAccessible($path)) {
                 throw new phpmailerException($this->lang('file_access') . $path, self::STOP_CONTINUE);
             }
 
@@ -2709,7 +2730,7 @@ class PHPMailer
     protected function encodeFile($path, $encoding = 'base64')
     {
         try {
-            if (!self::isPermittedPath($path) or !file_exists($path)) {
+            if (!static::fileIsAccessible($path)) {
                 throw new phpmailerException($this->lang('file_open') . $path, self::STOP_CONTINUE);
             }
             $magic_quotes = ( PHP_VERSION_ID < 70400 && get_magic_quotes_runtime() ); // WP: Patched for PHP 7.4.
@@ -3053,7 +3074,7 @@ class PHPMailer
      */
     public function addEmbeddedImage($path, $cid, $name = '', $encoding = 'base64', $type = '', $disposition = 'inline')
     {
-        if (!self::isPermittedPath($path) or !@is_file($path)) {
+        if (!static::fileIsAccessible($path)) {
             $this->setError($this->lang('file_access') . $path);
             return false;
         }