memo.xight.org

日々のメモ

Drupalのsmtp モジュール + PHPMailerのアップデート

Summary

DrupalのPHPMailerのリモートコード実行脆弱性対策を行う。

sites/all/libraries/PHPMailer

cd sites/all/libraries
git clone https://github.com/PHPMailer/PHPMailer
ln -s PHPMailer phpmailer


sites/all/modules/smtp/smtp.module

include するファイルを class.phpmailer.php から PHPMailerAutoload.php に変更する。

/**
 * Load the PHPMailer library.
 *
 * @return
 *   TRUE if the PHPMailer library is loaded, FALSE otherwise.
 */
function smtp_load_library() {
  // Include the PHPMailer class (which includes the SMTP class).
  if (!class_exists('PHPMailer')) {
	// First try using the libraries module.
	if (module_exists('libraries')) {
	   // $smtp_phpmailer_library = module_invoke('libraries', 'get_path', 'phpmailer') . '/class.phpmailer.php';
	   $smtp_phpmailer_library = module_invoke('libraries', 'get_path', 'phpmailer') . '/PHPMailerAutoload.php';
	 }
	 //If you aren't using libraries, then check a couple other places.
	 else {
	   //Look in the default libraries location
	   // $smtp_phpmailer_library = 'sites/all/libraries/phpmailer/class.phpmailer.php';
	   $smtp_phpmailer_library = 'sites/all/libraries/phpmailer/PHPMailerAutoload.php';
	   //If the default libraries doesn't exist, then try the old module location.
	   if (!file_exists($smtp_phpmailer_library)) {
		 // $smtp_phpmailer_library = drupal_get_path('module', 'smtp') .'/phpmailer/class.phpmailer.php';
		 $smtp_phpmailer_library = drupal_get_path('module', 'smtp') .'/phpmailer/PHPMailerAutoload.php';
	   }
	 }
	 //Now include whatever you found.
	 if (file_exists($smtp_phpmailer_library)) {
		require_once($smtp_phpmailer_library);
	 }
  }
  
  // Tell the caller if PHPMailer class exists.
  return class_exists('PHPMailer');
}


Reference

github.com - PHPMailer
https://github.com/PHPMailer/PHPMailer

Drupal.org - PHPmailer 3rd party library - DRUPAL-SA-PSA-2016-004
https://www.drupal.org/psa-2016-004

Qiita - PHPMailerのリモートコード実行脆弱性(CVE-2016-10033)の影響範囲
http://qiita.com/ichikaway/items/d2d9205c57f35b618951