Tiny Tiny RSS: Community

Phpmailer CVE-2018-19296 update


#1

Based off the following does the included phpmailer need updated?

On top of that should the included phpmailer be updated to 6 since 5.x is deprecated.


#2

this, i think, is the fourth time i have to update this library because of security issues. i think it’s time to ditch it because its author is clearly incapable of writing secure code.

straight up using php mail() should be good enough, i think.

e: i’ll rework mail handler to be pluggable and default to mail() if not handled by a plugin.


#3

heads up: phpmailer (and by extension old ttrssMailer wrapper) has been removed from trunk.

instead i’ve written a tiny mailer class using PHP mail() which should be, in my opinion, good enough for most people.

if you need direct SMTP support within tt-rss read below:

  1. mailer is pluggable and invokes PluginHost::HOOK_SEND_MAIL (usage explained in classes/mailer.php)
  2. later i might make a separate (out of main tree) phpmailer-or-something-else-based plugin for extended SMTP support, but at this point there isn’t one, so you might want to hold off updating if you depend on sending mail this way (docker? idk)
  3. if someone wants to help rewrap phpmailer into a tt-rss plugin, by all means post on the T&P subforum, i would appreciate it

commit: https://git.tt-rss.org/fox/tt-rss/commit/57932e183745bada9c6183056597cb5276f68d10

as usual report all issues here.


#4

How about updating include/sanity_config.php ? :wink:

I’ve tried to submit a push request, but for whatever reason i didn’t succeed to push my branch onto git.tt-rss.org. Did anything changed since my last push request (a few monthes ago) ?


#5

What was the git error you got?


#6

with:

$ cat .git/config 
[...]
[remote "tt-rss-ggrandou"]
	url = [email protected]:ggrandou/tt-rss.git
	fetch = +refs/heads/*:refs/remotes/tt-rss-ggrandou/*

$ git push tt-rss-ggrandou fix_smtp_config:fix_smtp_config

never complete.
but I don’t want to hijack the initial thread…


#7

you’re likely running into cloudflare
does git over https work? because git over ssh obviously won’t (cloudflare only MITMs https)


#8

yep. git over https works fine.
I has been a long time since the last time I had to use a login/passwd to authenticate myself on a git server :stuck_out_tongue:

my pull request is here:

Thanks!


#9

there should be a better solution to all this (without exposing git.tt-rss.org) but i’m not really seeing it
proxying gogs ssh through yet another domain just seems stupid


#10

going back to original topic, i made a simple SMTP plugin based on latest phpmailer, it’s available here:

i didn’t do a lot of testing but it seems to work


#11

I just updated and wanted to use php-mail (the requirement of php-mail should be made clear in the wiki).

If I am testing with the " Password recovery" function, the current implementation fails with postfix/sendmail[18322]: fatal: www-data(33): No recipient addresses found in message header
If I change $to_address = $params["to_address"]; to $to_address = "[email protected]"; it works.

Is this because of the " Password recovery" function or is this a general problem, that the mail address is not fed to the mail function in quotation marks?


#12

i have no idea what “php-mail” is (a library?), tt-rss stock is using php stock mail() function which uses system MTA. no libraries needed.

nah, that’s just basically a typo. mailer syntax got updated once and i forgot to update this particular invocation. should be fixed in trunk.

e: https://git.tt-rss.org/fox/tt-rss/commit/79c50359203afef9c04824376368040139fc3402


#13

Yes you are absolutely right, I just installed it, because it did not work at first, so thought this will fix it.

works, thanks!