Change Details

See prior work at https://secure.phabricator.com/T12046 Basically, there are a bunch of security alerts that come up with PHPMailer, which we include as code. In T12046, epriestley analysed the 2016 exploits and concluded that we're not vulnerable, but that the situation gets any worse we should just dump PHPMailer and write our own. This is the public Security disclosure document of PHPMailer, and we should be tracking it to see if it got worse: https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md As of now, it lists the following items since 2016: [] CVE-2017-5223 [] CVE-2017-11503 [] CVE-2018-19296 and CVE-2020-36326 [] CVE-2020-13625 [] CVE-2021-34551 [] CVE-2021-3603 That's an average of one a year, which seems kinda high to me (there are now 7600 lines of code in there).

See prior work at https://secure.phabricator.com/T12046 Basically, there are a bunch of security alerts that come up with PHPMailer, which we include as code. In T12046, epriestley analysed the 2016 exploits and concluded that we're not vulnerable, but that the situation gets any worse we should just dump PHPMailer and write our own. This is the public Security disclosure document of PHPMailer, and we should be tracking it to see if it got worse: https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md As of now, it lists the following items since 2016 (I checked those that I already cleared): [] CVE-2017-5223 (unfiltered user input) [v] CVE-2017-11503 [] CVE-2018-19296 and CVE-2020-36326 (UNC paths) [v] CVE-2020-13625 (Attachments) [] CVE-2021-34551 (UNC paths) [v] CVE-2021-3603

See prior work at https://secure.phabricator.com/T12046 Basically, there are a bunch of security alerts that come up with PHPMailer, which we include as code. In T12046, epriestley analysed the 2016 exploits and concluded that we're not vulnerable, but that the situation gets any worse we should just dump PHPMailer and write our own. This is the public Security disclosure document of PHPMailer, and we should be tracking it to see if it got worse: https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md As of now, it lists the following items since 2016 (I checked those that I already cleared): [] CVE-2017-5223 (unfiltered user input) [v] CVE-2017-11503 [] CVE-2018-19296 and CVE-2020-36326 (UNC paths) [v] CVE-2020-13625 (Attachments) [] CVE-2021-34551 (UNC paths) [v] CVE-2021-3603 That's an average of one a year, which seems kinda high to me (there are now 7600 lines of code in there).