Revert change that made the mail() and sendmail transports set the …

…envelope sender if one isn't explicitly provided, as it causes problems described at <PHPMailer#2298>
robertmathews · Mar 31, 2021 · b551a12 · b551a12
1 parent e8db1cd
commit b551a12
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 10 deletions.
diff --git a/changelog.md b/changelog.md
@@ -4,6 +4,7 @@
 * Check for mbstring extension before decoding addresss in `parseAddress`
 * Add Serbian Latin translation (`sr_latn`)
 * Enrol PHPMailer in Tidelift
+* Revert change that made the `mail()` and sendmail transports set the envelope sender if one isn't explicitly provided, as it causes problems described at <https://github.com/PHPMailer/PHPMailer/issues/2298>
 
 ## Version 6.3.0 (February 19th, 2021)
 * Handle early connection errors such as 421 during connection and EHLO states

diff --git a/src/PHPMailer.php b/src/PHPMailer.php
@@ -1684,25 +1684,24 @@ protected function sendmailSend($header, $body)
         //Sendmail docs: http://www.sendmail.org/~ca/email/man/sendmail.html
         //Qmail docs: http://www.qmail.org/man/man8/qmail-inject.html
         //Example problem: https://www.drupal.org/node/1057954
-        //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
-        if ('' === $this->Sender) {
-            $this->Sender = $this->From;
-        }
         if (empty($this->Sender) && !empty(ini_get('sendmail_from'))) {
             //PHP config has a sender address we can use
             $this->Sender = ini_get('sendmail_from');
         }
         //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
-        //But sendmail requires this param, so fail without it
         if (!empty($this->Sender) && static::validateAddress($this->Sender) && self::isShellSafe($this->Sender)) {
             if ($this->Mailer === 'qmail') {
                 $sendmailFmt = '%s -f%s';
             } else {
                 $sendmailFmt = '%s -oi -f%s -t';
             }
         } else {
-            $this->edebug('Sender address unusable or missing: ' . $this->Sender);
-            return false;
+            //allow sendmail to choose a default envelope sender. It may
+            //seem preferable to force it to use the From header as with
+            //SMTP, but that introduces new problems (see
+            //<https://github.com/PHPMailer/PHPMailer/issues/2298>), and
+            //it has historically worked this way.
+            $sendmailFmt = '%s -oi -t';
         }
 
         $sendmail = sprintf($sendmailFmt, escapeshellcmd($this->Sendmail), $this->Sender);
@@ -1862,9 +1861,6 @@ protected function mailSend($header, $body)
         //Qmail docs: http://www.qmail.org/man/man8/qmail-inject.html
         //Example problem: https://www.drupal.org/node/1057954
         //CVE-2016-10033, CVE-2016-10045: Don't pass -f if characters will be escaped.
-        if ('' === $this->Sender) {
-            $this->Sender = $this->From;
-        }
         if (empty($this->Sender) && !empty(ini_get('sendmail_from'))) {
             //PHP config has a sender address we can use
             $this->Sender = ini_get('sendmail_from');