You are here

Home » API reference » HTML Mail 8.3 » HtmlMailSystem.php » HtmlMailSystem

protected static function HtmlMailSystem::isShellSafe in HTML Mail 8.3

Disallows potentially unsafe shell characters.

Functionally similar to PHPMailer::isShellSafe() which resulted from CVE-2016-10045. Note that escapeshellarg and escapeshellcmd are inadequate for this purpose.

This method should be kept in sync with PhpMail::_isShellSafe().

Parameters

string $string: The string to be validated.

Return value

bool TRUE if the string is shell-safe.

See also

https://github.com/PHPMailer/PHPMailer/issues/924

https://github.com/PHPMailer/PHPMailer/blob/v5.2.21/class.phpmailer.php#...

https://www.drupal.org/sa-core-2018-006

https://www.drupal.org/sa-contrib-2018-069

\Drupal\Core\Mail\Plugin\Mail\PhpMail::_isShellSafe()

1 call to HtmlMailSystem::isShellSafe()
HtmlMailSystem::mail in src/Plugin/Mail/HtmlMailSystem.php
Send an email message.

File

src/Plugin/Mail/HtmlMailSystem.php, line 471

Class

HtmlMailSystem
Modify the Drupal mail system to use HTML Mail when sending emails.

Namespace

Drupal\htmlmail\Plugin\Mail

Code

protected static function isShellSafe($string) {
  if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), [
    "'{$string}'",
    "\"{$string}\"",
  ])) {
    return FALSE;
  }
  if (preg_match('/[^a-zA-Z0-9@_\\-.]/', $string) !== 0) {
    return FALSE;
  }
  return TRUE;
}