Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Please see this conversation:
https://github.com/PHPMailer/PHPMailer/issues/250
Comment | File | Size | Author |
---|---|---|---|
#52 | smtp-phpmailer6-2295773-52.patch | 106.03 KB | dsnopek |
#39 | innerdiff_37-39.patch | 609 bytes | Megha_kundar |
#39 | 2295773-39.patch | 23.86 KB | Megha_kundar |
| |||
#37 | innerdiff_34-37.txt | 1.35 KB | Megha_kundar |
#37 | 2295773-37.patch | 23.82 KB | Megha_kundar |
Comments
Comment #1
Island Usurper CreditAttribution: Island Usurper commentedI'm debating whether I should try to port this module to PHPMailer 5.2. It might make things better for a 7.x-2.x version. Then again, I've used it just fine for a long time, so I wonder if things are actually buggy enough to fix.
Comment #2
wundo CreditAttribution: wundo at Chuva Inc. commentedUpdating to a newer PHPMailer 5.2 is on my roadmap, but if you want to lead it, I'd glad to help you out!
Comment #3
DamienMcKennaComment #4
sebbo CreditAttribution: sebbo commentedThe "SMTP Authentication Support" module 7.x-1.7 is still using PHPMailer 5.1. Since 9th December 2016, the developer of PHPMailer said, that v5.2.17 will be the last feature release of 5.2 - it will only receive security fixes in future. Instead you should use PHPMailer 6.0.
What are the reasons, that it wasn't updated with the last smtp module version? Do you plan to update it and if yes: When?
Between PHPMailer 5.1 and 5.2.24 were many security/vulnerability fixes, improvements and new features added. Here are just some changes, why I would like to update PHPMailer:
Comment #5
qqboy CreditAttribution: qqboy commentedthis issue is created in 2014, but now still pending.
Comment #6
siramsay CreditAttribution: siramsay as a volunteer commentedfrom the read me
"This module no longer uses the PHPMailer package as an external library"
so maybe close this issue?
Comment #7
mmjvb CreditAttribution: mmjvb as a volunteer commentedWhy close? The issue is still valid!
This module includes PHPMailer v5.1 with all versions: 7.x-1.x, 7.x-2.x and 8.x-1.x. The request is to update it.
Considering PHPMailer is already included, only needs updating, it is.not a feature request, changed it into a support request.
EDIT: For those that do understand the issue, have a look at https://www.drupal.org/node/2711559
Note that it is for D8, not D7.
Comment #8
dqdDescriptions of the Priority and Status values can be found in the Issue queue handbook. Further useful informations about issue handling in general and also about which category should be set can be found under Bug Squad: "How to work the issue queue". A quote from the category support: support issues should be general questions about how to perform a specific task.
So if somebody still asks for a library implementation which is not planned yet or has been removed before, it is rather a feature request than a support request. But, TBH, if it has been removed before, the chance is small that it will be implemented again unless the feature request includes good reaons to implement it again.
Comment #9
laborouge CreditAttribution: laborouge commented+1
Request to update to the latest version of PHPMAILER.
Thanks for the module. Very useful.
Comment #10
cosolom CreditAttribution: cosolom commentedstart point. for me worked, but maybe need some rework and tests.
After applied patch you need install phpmailer by composer. run in folder with module:
composer install
Comment #11
laborouge CreditAttribution: laborouge commentedSo many thanks for your fast answer and this patch.
I try to apply and test it in few days.
Comment #12
laborouge CreditAttribution: laborouge commentedIt works for me.
Thanks.
Comment #13
twistednexus CreditAttribution: twistednexus commentedYou definitely shouldn't use that patch in a production site. It disables SSL Certificate validation so you have no idea where you're connecting.
Alternatively, you should remove this block from the patch for smtp.mail.inc.
Comment #14
wundo CreditAttribution: wundo at Chuva Inc. commentedComment #15
spelcheck CreditAttribution: spelcheck as a volunteer commentedRe-rolled @cosolum #10 patch, added some legitimate library requirements, warning messages and removed the need for composer (although everyone should be using composer higher up the chain). Included suggestion from #13 @twistednexus.
Don't expect it to work with PHP5.6, but will take a couple stabs at testing ^php7 and see what happens.
Comment #16
spelcheck CreditAttribution: spelcheck as a volunteer commentedAdded libraries module requirement.
Comment #17
spelcheck CreditAttribution: spelcheck as a volunteer commentedTest failing on previous patches because it requires PHPMailer. Added catch-all searching logic to load PHPMailer even if it needs to download it using libraries module. Added admin options to control the sent SSL options in #13 (and so that testing can disable them). Added additional notifications when it is using the libraries include_check_path() function, recommending the user install the library "correctly".
Obviously up to the user where they want to put their libraries, but having them hanging out in public files/include/ writable by apache doesn't sound like a good thing, especially since all emails will go through it.
Comment #18
spelcheck CreditAttribution: spelcheck as a volunteer commentedComment #19
spelcheck CreditAttribution: spelcheck as a volunteer commentedForgot to add
test_dependencies[] = libraries
in smtp.infoComment #20
spelcheck CreditAttribution: spelcheck as a volunteer commentedTesting is failing as though
smtp
module isn't enabled. I just movedlibraries
abovesmtp
in setUp() to see if maybe libraries needs to be earlier in the array for setUp(). Other than that, I'm out of ideas. The patch does work well though, and simpletest on my local runs without a hitch. Would appreciate anybody who's familiar with CI to suggest a fix.Comment #21
spelcheck CreditAttribution: spelcheck as a volunteer commentedAny new .info test_dependencies aren't going to be read by testbot unless they are committed, and the alternative of adding require-dev dependencies in a composer.json file makes simpletest exit as
ERROR: No valid tests were specified.
which looks like how #10 tested as well.I put more time into fleshing out the library requirements, status reporting, and giving smtp the option to utilize the Include module when available to automatically download PHPMailer. For the DrupalCI testing, I built in functionality specifically for simpletests to download the PHPMailer library from github using ::cough:: file_get_contents().
If we could get the include module added to smtp.info as a test_dependency, or if I can get the composer.json method working, I'll remove that code and rely on Include module to download the library. I'm against adding legitimate dependencies, but doesn't hurt to utilize great utility modules like Libraries and Include when they are present.
Comment #22
spelcheck CreditAttribution: spelcheck as a volunteer commentedSince previous patch #21..
Fixed:
- libraries module replacement of phpmailer library search was broken
- some drupal coding standards (in this patch only, not the entire project)
Changed:
- moved the drupalci testbot-related library download code to smtp_tests.module
- now uses drupal_http_request instead of file_get_contents of remote files
- sanity check for returned 'x-github-request-id' header on downloads
Added:
- minimum version setting in smtp.install
- phpmailer version minimum requirement handling, reporting
Note:
- We look for 'PHPMailer' cased library folder, but some other smtp-related modules look for 'phpmailer' (lowercase). I think it's a good idea to continue looking for 'PHPMailer' instead, as it's doubtful other modules are using ^6.0 PHPMailer and this way they might be able to play nice.
Future: @wundo
- Add
test_dependencies = include;
to smtp.info file so that we don't have to rely on a custom function that hastily does what the include module would do for us in order for DrupalCI testbot (and I assume others) to test successfully. I'll defer to maintainer's judgement.:: beg ::
Comment #23
spelcheck CreditAttribution: spelcheck as a volunteer commentedThis patch (#22) plays nice with a the other patches I'm using:
Comment #24
spelcheck CreditAttribution: spelcheck as a volunteer commentedSince previous patch #22..
Fixed:
- smtp.admin.inc was missing the new 'Advanced SSL settings' section that allow user setting SSL options (@see #13)
Todo:
- If this gets any traction, I'll remove the chaff
smtp.transport.inc
andsmtp.phpmailer.inc
Comment #25
spelcheck CreditAttribution: spelcheck as a volunteer commentedUp to @wundo what they'd like to do with this, as it addresses a few issues that have RTBC patches, namely https://www.drupal.org/project/smtp/issues/2566561. Worth reviewing though IMO.
Comment #26
spelcheck CreditAttribution: spelcheck as a volunteer commentedSince patch #24..
Fixed:
- (#22) libraries module replacement of phpmailer library search was [still] broken.. needed a trailing slash.
Comment #27
arvana CreditAttribution: arvana commentedApplied patch in #26 and it's working for me, thanks @spelcheck!
Comment #28
Chris Matthews CreditAttribution: Chris Matthews commentedComment #29
geoffreyr CreditAttribution: geoffreyr commentedTiny update to #26 that adds an extra module include line in smtp_requirements. This means that if the site's ever in a situation where it's doing an install, but smtp.module hasn't been loaded yet, it won't throw a fatal error due to not being able to find the function smtp_phpmailer_available.
Comment #30
geoffreyr CreditAttribution: geoffreyr commentedI think this needs another pass, because even with the latest code, I'm not even sure it's including PHPMailer from its sites/all/libraries directory. I suspect it's using the old PHPMailer class file, because it finds the PHPMailer class, but can't use any of the newer methods such as addStringEmbeddedImage. Which is highly unfortunate because I'm trying to use it to fix multipart embedding elsewhere...
Comment #31
rivimeyUpdate title to make it much clearer this is a D7 change.
See #2711559: Set phpMailer as a external library using composer (and update it to 6.0) for the D8/9 change, which just reverts to including PHPmailer via Composer.
Comment #32
solideogloria CreditAttribution: solideogloria commentedThe install file changes in #29 added a duplicate
$t = get_t();
line.I removed it in this patch.
Comment #34
solideogloria CreditAttribution: solideogloria commentedApplied codesniffer fixes.
Comment #36
TR CreditAttribution: TR commentedYou fixed a lot of coding standards problems, but this patch still adds 5 new problems. Those should be corrected - no sense in adding new problems.
It would be nice to see an interdiff so we can tell what you changed from the patch in #29 ...
Comment #37
Megha_kundar CreditAttribution: Megha_kundar commentedHI,
i haved phpcs error also in this patch.
Comment #39
Megha_kundar CreditAttribution: Megha_kundar commentedComment #40
solideogloria CreditAttribution: solideogloria commentedThe errors from the earlier tests were because an external resource was returning an HTTP error, not because of anything I changed. Literally all I did from 29 was remove a duplicate line. View the patch in #29, scroll down to the install file, and see that it called get_t() twice.
Comment #42
rivimeyI thought I would review this code as that doesn't seem to have happened yet.
I have serious misgivings about the code that downloads the library to the public files folder and then runs it. If not for that it's mostly OK but in its current state I think this poses a security risk.
Not a good intro line. We can see it's a function...
I would suggest a short form of the next para, just "Submit handler...form." and of then delete that second para.
As we're changing the line, could we also trim its length (minimally at "array(").
Please word-wrap this code.
It doesn't cost much to put in a "something weird happened" message. Good programming is about handling edge cases.
I think the doc should state here that (only) the PHPMailer key will be written.
Why 'usually'?
This is the definition of this function's API. If you don't know, nobody does...
What about:
sites/default/libraries
and possibly:
../libraries
- (making that one up, is it a thing)?
As commented earlier, not happy about this; at the very least, there needs to be protections in place against using this as an attack vector.
Please reconsider including this.
This could be done as:
$exists = class_exists();
return smtp_*ize(..., !$exists);
Is there a good reason to use the long form?
It would be better if this check was done at the strt of the function.
Can we lose the initial commas please.
In fact, not really sure these commenta add anything at all. Better remove them.
Comment #43
TR CreditAttribution: TR commentedI really don't like this patch either, for the same reasons stated above by @rivimey
This is D7, and we can require manual installation of external libraries like PHPMailer, or we can use the Libraries module to facilitate this, or we can require composer_manager, or we can bundle our own forked copy of PHPMailer (which is what we currently do in D7), but rolling our own automatic download should not be considered.
Since this issue is about replacing our forked/bundled version of PHPMailer with the current version, I would stick either with bundling the current version as we do now OR modifying the installation instructions to describe how to manually download the current version and where to put it.
But since D7 is mature and nearing its end-of-life, and because there are 100,000 D7 sites using this module, any change here needs a hook_update_N() and a hook_requirements() to ensure that these legacy D7 sites get update properly, regardless of which download method we choose.
And because this is so potentially disruptive, there ought to be a REALLY good reason to change the module, because this change is CERTAIN to cause problems with many existing sites. #4 provides some good reasons, and in general it would be much better and more supportable if we used the current version of PHPMailer rather than our own forked version. But the transition, for existing sites, concerns me, and deserves more attention here.
Comment #44
solideogloria CreditAttribution: solideogloria commentedPerhaps a good argument for keeping it a fork is so that users don't have to worry about which version of the library they are supposed to use.
Also, the issue says update to 6.0, and #4 says to use 5.2. Which are we actually talking about?
Comment #45
rivimey@solideogloria I believe we started asking for 5.2 when that was still reasonably current but as it's now obsolete itself, the request changed to 6.0. I would prefer the code was not 'forked' in the sense of setting up a new module name: that would be a retrograde step I feel.
@TR 100% agree with you.
I think the best option re: the upgrade issue would be to bump the major version to 2.x, which has always been a pretty strong hint that something big changed. In this case, the big thing changing would be phpmailer itself, and how to install it: I believe settings can be updated well enough.
What I would suggest re: download would be that a drush command was created that would download phpmailer and put it in (exactly one) directory that the libraries module would see it. Then the smtp_requirements() code could detect its absence and instruct users to put the library there by hand or run the drush command to do it automatically. There are several other contrib modules in D7 which do this already, so I would search them out and copy their mistakes rather than make our own brand new ones.
Given the above is a fair bit of work and how many people are using the module anyway, I'm not sure if this is worth the effort. However if someone else does think it is worthwhile, I think the above would be an acceptable solution.
The big thing I am against is anything that enables the website to write or update its own code without a LOT of security attention being paid to it, and this patch doesn't qualify. One point to note is that when composer downloads code it checks the checksum of the package, rather than just assuming all was well.
Comment #46
TR CreditAttribution: TR commentedYou're right, that's probably the best option, but it would have to be 7.x-3.x since there's already an abandoned 7.x-2.x branch, unless we wanted to re-purpose that 7.x-2.x branch. But I remember reading something in a closed issue about there were sites still using 7.x-2.x ...
Regardless, if we're taking about branching and upgrading the PHPMailer version, we really need active participation here from a maintainer. I personally wouldn't want to spend any effort to make this happen without the maintainer being 100% behind it.
Comment #47
solideogloria CreditAttribution: solideogloria commentedThere are still sites on 2.x
Comment #48
solideogloria CreditAttribution: solideogloria commentedComment #49
thomasmurphy CreditAttribution: thomasmurphy at Xequals commentedThe module is currently bundling an unsupported version of the library, which generates a status report error and may be insecure.
Comment #50
japerryAs Drupal 7 is nearing EOL, I'm finding it hard to justify moving to PHPMailer 6.0. However, it should be using the latest version the 5.2 branch.
Marking closed for now. If you want to use PHPMailer 6, feel free to take patches from this issue or roll your own with composer manager. But I don't think we should break existing D7 sites with updating a major version of PHPMailer.
Comment #51
rivimey@japerry Please do make this so.... while standard EOL is only a year-ish away, there is also commercial support.
Moving to 5.2 is I think no easier than to 6.0, because the version of the code included in the module is an ancient hacked around version of, probably, PHPMailer 3, with some (but probably not all) security fixes applied. Getting onto 6.0 could well prevent an SMTP module CVE.
If this patch needs simplification for the purposes of risk reduction, then so be it, but I think it would be very preferable, even at this stage, to get onto a supported version of PHPMailer, and do so soon.
To be clear, I am asking for phpmailer to be included verbatim in the module code, if that is permissible, as the safe alternative to getting involved with composer on D7.
Comment #52
dsnopekI know this will probably never be committed per @japerry's comment above, but here is a new patch that is much simplified. It uses the 'libraries' module to load from a directory named 'phpmailer' (under sites/all/libraries or any of the other locations that 'libraries' will check), and has a
hook_requirements()
to ensure that PHPMailer 6 is used. The reason the patch is so big is that it's removing the PHPMailer code that was originally included in the module - otherwise, the changes are pretty minimal, as the API for PHPMailer 6.x is very similar to 5.x.Hopefully, this will be useful to someone!