You are here

protected static function DefaultMailSystem::_isShellSafe in Drupal 7

Disallows potentially unsafe shell characters.

Functionally similar to PHPMailer::isShellSafe() which resulted from CVE-2016-10045. Note that escapeshellarg and escapeshellcmd are inadequate for this purpose.

@todo Rename to ::isShellSafe() and/or discuss whether this is the correct location for this helper.

Parameters

string $string: The string to be validated.

Return value

bool True if the string is shell-safe.

See also

https://github.com/PHPMailer/PHPMailer/issues/924

https://github.com/PHPMailer/PHPMailer/blob/v5.2.21/class.phpmailer.php#...

1 call to DefaultMailSystem::_isShellSafe()
DefaultMailSystem::mail in modules/system/system.mail.inc
Send an e-mail message, using Drupal variables and default settings.

File

modules/system/system.mail.inc, line 134
Drupal core implementations of MailSystemInterface.

Class

DefaultMailSystem
The default Drupal mail backend using PHP's mail function.

Code

protected static function _isShellSafe($string) {
  if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), array(
    "'{$string}'",
    "\"{$string}\"",
  ))) {
    return FALSE;
  }
  if (preg_match('/[^a-zA-Z0-9@_\\-.]/', $string) !== 0) {
    return FALSE;
  }
  return TRUE;
}