protected static function PHPMailer::isShellSafe

5.x PHPMailer.php protected static PHPMailer::isShellSafe($string)

Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters. Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.

Parameters

string $string The string to be validated:

Return value

bool

See also

https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report

2 calls to PHPMailer::isShellSafe()
PHPMailer::mailSend in inc/PHPMailer/src/PHPMailer.php
Send mail using the PHP mail() function.
PHPMailer::sendmailSend in inc/PHPMailer/src/PHPMailer.php
Send mail using the $Sendmail program.

File

inc/PHPMailer/src/PHPMailer.php, line 1652

Class

PHPMailer
PHPMailer - PHP email creation and transport class.

Namespace

PHPMailer\PHPMailer

Code

protected static function isShellSafe($string) 
 {
  // Future-proof
  if (escapeshellcmd($string) !== $string
   or !in_array(escapeshellarg($string), ["'$string'", "\"$string\""])
    ) {
    return false;
  }

  $length = strlen($string);

  for ($i = 0; $i < $length; ++$i) {
    $c = $string [$i];

    // All other characters have a special meaning in at least one common shell, including = and +.
    // Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
    // Note that this does permit non-Latin alphanumeric characters based on the current locale.
    if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
      return false;
    }
  }

  return true;
}