Opened 7 years ago
Closed 5 years ago
#40576 closed defect (bug) (reported-upstream)
Sending emails broken in 4.7.2
| Reported by: |
pavelevap
|
Owned by: | |
|---|---|---|---|
| Milestone: | Priority: | normal | |
| Severity: | normal | Version: | 4.7.2 |
| Component: | External Libraries | Keywords: | close |
| Focuses: | Cc: |
Description (last modified by )
This change in 4.7.2 probably broke sending emails for some websites: [39646]
PHPMailer was updated from 5.2.14 to 5.2.21 and several calls to escapeshellcmd() were added. But some users reported problems with emails not sending and we found some related errors, for example: Warning: escapeshellcmd() has been disabled for security reasons in .../wp-includes/class-phpmailer.php on line 1442.
Function escapeshellcmd() is disabled by webhoster and it is not possible to allow it. Everything works in 4.7.1 and stopped working after automatic update to 4.7.2.
Attachments (2)
Change History (7)
#1
@
7 years ago
- Component changed from General to Mail
- Description modified (diff)
- Milestone changed from Awaiting Review to 4.7.5
@
#3
@
7 years ago
- Component changed from Mail to External Libraries
- Keywords close added; has-patch removed
- Milestone changed from 4.7.5 to Awaiting Review
Unfortunately simply switching from escapeshellcmd() to escapeshellarg() isn't viable here, and likely introduces security concerns. They were introduced to fix the issues surrounging CVE-2016-10033 & CVE-2016-10045. (Installs which disable escapeshellcmd() most likely also disable escapeshellarg() btw)
https://github.com/PHPMailer/PHPMailer/issues/966 & https://github.com/PHPMailer/PHPMailer/issues/948 are the upstream issues for this problem, which have unfortunately been closed as wontfix.
escapeshelllcmd() does not introduce any security implications for an install, and is used to protect against them instead - the ideal solution here will be for you contacting your host and asking them to remove that from the disable_functions list, as they're specifically preventing us from sending email securely.
If you wish to attempt to fix this, it should be fixed upstream within PHPMailer, and not within WordPress directly.
I'm removing this from the 4.7.x milestone as it's not something we can fix directly, and can be milestoned in the event a new PHPMailer build becomes available which can be used here.
#4
@
7 years ago
I agree that it is mostly webhoster issue, but on the other hand WordPress was updated automatically and users were not awared of this serious issue. I found it when debugging why lead forms stopped working for one client. There should be some kind of warning message that emails stopped working when function is disabled or something similar, I guess. Now there is no warning, emails only silently fail :-(
#5
@
5 years ago
- Milestone Awaiting Review deleted
- Resolution set to reported-upstream
- Status changed from new to closed
I'm going to close this out. As @dd32 mentioned above, this needs to be addressed upstream in PHPMailer in order to fix in WordPress.
#41750 updates PHPMailer to the latest version in Core.
escapeshellarg() function should be used to escape individual arguments to shell functions coming from user input @pavelevap