Merge pull request #2244 from Automattic/fix/vip-mail-5.4

Don't include the VIP_PHPMailer on WordPress < 5.5, add test coverage
Automattic · Jun 24, 2021 · e107703 · e107703
2 parents 02112ef + 5fafe00
commit e107703
Show file tree

Hide file tree

Showing 2 changed files with 87 additions and 25 deletions.
diff --git a/tests/test-vip-mail.php b/tests/test-vip-mail.php
@@ -1,9 +1,13 @@
 <?php
 
+
 class VIP_Mail_Test extends \WP_UnitTestCase {
 	public function setUp() {
 		parent::setUp();
 		reset_phpmailer_instance();
+		if ( ! defined( 'USE_VIP_PHPMAILER' ) ) {
+			define( 'USE_VIP_PHPMAILER', true );
+		}
 	}
 
 	public function test__all_smtp_servers__not_array() {
@@ -57,4 +61,59 @@ public function test__has_tracking_header_with_key() {
 
 		$this->assertRegExp( '/X-Automattic-Tracking: 1:\d+:.+:\d+:\d+:\d+(\\r\\n|\\r|\\n)/', $header );
 	}
+
+	/**
+	 * @preserveGlobalState disabled
+	 * @runInSeparateProcess
+	 */
+	public function test_load_VIP_PHPMailer_gte_55() {
+		global $wp_version;
+		if ( version_compare( $wp_version, '5.5', '<' ) ) {
+			$this->markTestSkipped( 'Not testing WP < 5.5' );
+		}
+
+		$this->assertEquals( true, class_exists( 'VIP_PHPMailer' ), 'VIP_PHPMailer should be loaded on >= 5.5. Version: ' . $wp_version );
+	}
+
+	/**
+	 * @preserveGlobalState disabled
+	 * @runInSeparateProcess
+	 */
+	public function test_dont_load_VIP_PHPMailer_lt_55() {
+		global $wp_version;
+		if ( version_compare( $wp_version, '5.5', '>=' ) ) {
+			$this->markTestSkipped( 'Not testing WP < 5.5' );
+		}
+
+		$this->assertEquals( false, class_exists( 'VIP_PHPMailer' ), 'VIP_PHPMailer should not be loaded on < 5.5. Version: ' . $wp_version );
+	}
+
+	/**
+	 * Test base cases here: local attachment and a remote (disallowed)
+	 *
+	 * @return void
+	 */
+	public function test__attachments_path_validation() {
+		global $wp_version;
+		if ( version_compare( $wp_version, '5.5', '<' ) ) {
+			$this->markTestSkipped( 'Skipping VIP_PHPMailer logic validation on WP < 5.5' );
+		}
+
+		$temp = tmpfile();
+		fwrite( $temp, "I'm a test file" );
+		$filename = stream_get_meta_data( $temp )['uri'];
+		wp_mail( 'test@example.com', 'Test with attachment', 'Test', '', [ $filename ] );
+		fclose( $temp );
+
+		$mailer = tests_retrieve_phpmailer_instance();
+
+		$this->assertStringContainsString( 'Content-Disposition: attachment; filename=' . basename( $filename ), $mailer->get_sent()->body );
+
+		reset_phpmailer_instance();
+
+		wp_mail( 'test@example.com', 'Test with attachment', 'Test', '', [ 'http://lorempixel.com/400/200/' ] );
+		$mailer = tests_retrieve_phpmailer_instance();
+
+		$this->assertThat( $mailer->get_sent()->body, $this->logicalNot( $this->stringContains( 'Content-Disposition: attachment; filename=' ) ) );
+	}
 }
diff --git a/vip-mail.php b/vip-mail.php
@@ -7,36 +7,39 @@
 Version: 1.0
 License: GPL version 2 or later - http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
 */
+if ( version_compare( $wp_version, '5.5', '>=' ) ) {
+	if ( ! class_exists( 'PHPMailer\PHPMailer\PHPMailer' ) ) {
+		require_once ABSPATH . WPINC . '/PHPMailer/PHPMailer.php';
+		require_once ABSPATH . WPINC . '/PHPMailer/SMTP.php';
+		require_once ABSPATH . WPINC . '/PHPMailer/Exception.php';
+	}
 
-if ( ! class_exists( 'PHPMailer\PHPMailer\PHPMailer' ) ) {
-	require_once ABSPATH . WPINC . '/PHPMailer/PHPMailer.php';
-	require_once ABSPATH . WPINC . '/PHPMailer/SMTP.php';
-	require_once ABSPATH . WPINC . '/PHPMailer/Exception.php';
-}
-class VIP_PHPMailer extends PHPMailer\PHPMailer\PHPMailer {
-	/**
-	 * Check whether a file path is of a permitted type.
-	 *
-	 * Used to reject URLs and phar files from functions that access local file paths,
-	 * such as addAttachment. Allows VIP File System's `vip` protocol.
-	 *
-	 * @param string $path A relative or absolute path to a file
-	 *
-	 * @return bool
-	 */
-	protected static function isPermittedPath( $path ) {
-		if ( 0 === strpos( $path, 'vip://wp-content/uploads' ) ) {
-			return true;
-		} else {
-			return ! preg_match( '#^[a-z]+://#i', $path );
+	class VIP_PHPMailer extends PHPMailer\PHPMailer\PHPMailer {
+		/**
+		 * Check whether a file path is of a permitted type.
+		 *
+		 * Used to reject URLs and phar files from functions that access local file paths,
+		 * such as addAttachment. Allows VIP File System's `vip` protocol.
+		 *
+		 * @param string $path A relative or absolute path to a file
+		 *
+		 * @return bool
+		 */
+		protected static function isPermittedPath( $path ) {
+			if ( 0 === strpos( $path, 'vip://wp-content/uploads' ) ) {
+				return true;
+			} else {
+				return ! preg_match( '#^[a-z]+://#i', $path );
+			}
 		}
 	}
-}
 
-if ( defined( 'USE_VIP_PHPMAILER' ) && true === USE_VIP_PHPMAILER ) {
-	global $phpmailer;
-	$phpmailer = new VIP_PHPMailer( true ); // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
+	if ( defined( 'USE_VIP_PHPMAILER' ) && true === USE_VIP_PHPMAILER ) {
+		global $phpmailer;
+		$phpmailer = new VIP_PHPMailer( true ); // phpcs:ignore WordPress.WP.GlobalVariablesOverride.Prohibited
+	}
 }
+
 class VIP_Noop_Mailer {
 	function __construct( $phpmailer ) {
 		$this->subject = $phpmailer->Subject ?? '[No Subject]';