Page MenuHomePhabricator

Implement a first-party SMTP client
Open, NormalPublic

Description

We currently use PHPMailer (and PHPMailerLite, which is basically the same thing but without SMTP wire code) to build SMTP message bodies for mail.

Over time we've made changes to these classes to defuse security issues, work around bugs, or add capabilities, and it feels like we've reached a position where the cost of these externals (which are not very large, but have proven rich with issues) outweighs the benefit. Notable issues:

  • T12046, which is fairly egregious.
  • T12372, which uncovered some pretty questionable behavior in basic message construction in a realistic environment.
  • T5969 isn't exactly related but would fall in line here.
  • General issues with /e on regexps, switching to ExecFuture, etc.
  • The SES vs PHPMailer vs PHPMailerLite thing is a mess.

Event Timeline

ftdysa added a subscriber: ftdysa.Mar 17 2017, 1:38 AM
hskiba added a subscriber: hskiba.Mar 24 2017, 1:13 PM

This doesn't affect us, but more fuel on the fire -- XSS in example code which ships with PHPMailer (we don't distribute this code):

https://nvd.nist.gov/vuln/detail/CVE-2017-11503

epriestley moved this task from Backlog to Future on the Mail board.Jan 27 2018, 9:54 PM
pasik added a subscriber: pasik.May 12 2018, 2:11 PM
epriestley moved this task from Future to Infrastructure on the Mail board.Mon, Jan 14, 4:55 PM