Page MenuHomePhabricator

Implement a first-party SMTP client
Open, NormalPublic

Description

We currently use PHPMailer (and PHPMailerLite, which is basically the same thing but without SMTP wire code) to build SMTP message bodies for mail.

Over time we've made changes to these classes to defuse security issues, work around bugs, or add capabilities, and it feels like we've reached a position where the cost of these externals (which are not very large, but have proven rich with issues) outweighs the benefit. Notable issues:

  • T12046, which is fairly egregious.
  • T12372, which uncovered some pretty questionable behavior in basic message construction in a realistic environment.
  • T5969 isn't exactly related but would fall in line here.
  • General issues with /e on regexps, switching to ExecFuture, etc.
  • The SES vs PHPMailer vs PHPMailerLite thing is a mess.

Event Timeline

This doesn't affect us, but more fuel on the fire -- XSS in example code which ships with PHPMailer (we don't distribute this code):

https://nvd.nist.gov/vuln/detail/CVE-2017-11503