protected static function PhpMail::_isShellSafe in Drupal 10
Same name and namespace in other branches
- 8 core/lib/Drupal/Core/Mail/Plugin/Mail/PhpMail.php \Drupal\Core\Mail\Plugin\Mail\PhpMail::_isShellSafe()
- 9 core/lib/Drupal/Core/Mail/Plugin/Mail/PhpMail.php \Drupal\Core\Mail\Plugin\Mail\PhpMail::_isShellSafe()
Disallows potentially unsafe shell characters.
Functionally similar to PHPMailer::isShellSafe() which resulted from CVE-2016-10045. Note that escapeshellarg and escapeshellcmd are inadequate for this purpose.
@todo Rename to ::isShellSafe() and/or discuss whether this is the correct location for this helper.
Parameters
string $string: The string to be validated.
Return value
bool True if the string is shell-safe.
See also
https://github.com/PHPMailer/PHPMailer/issues/924
https://github.com/PHPMailer/PHPMailer/blob/v5.2.21/class.phpmailer.php#...
1 call to PhpMail::_isShellSafe()
- PhpMail::mail in core/
lib/ Drupal/ Core/ Mail/ Plugin/ Mail/ PhpMail.php - Sends an email message.
File
- core/
lib/ Drupal/ Core/ Mail/ Plugin/ Mail/ PhpMail.php, line 164
Class
Namespace
Drupal\Core\Mail\Plugin\MailCode
protected static function _isShellSafe($string) {
if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), [
"'{$string}'",
"\"{$string}\"",
])) {
return FALSE;
}
if (preg_match('/[^a-zA-Z0-9@_\\-.]/', $string) !== 0) {
return FALSE;
}
return TRUE;
}