protected static function HtmlMailSystem::isShellSafe in HTML Mail 8.3
Disallows potentially unsafe shell characters.
Functionally similar to PHPMailer::isShellSafe() which resulted from CVE-2016-10045. Note that escapeshellarg and escapeshellcmd are inadequate for this purpose.
This method should be kept in sync with PhpMail::_isShellSafe().
Parameters
string $string: The string to be validated.
Return value
bool TRUE if the string is shell-safe.
See also
https://github.com/PHPMailer/PHPMailer/issues/924
https://github.com/PHPMailer/PHPMailer/blob/v5.2.21/class.phpmailer.php#...
https://www.drupal.org/sa-core-2018-006
https://www.drupal.org/sa-contrib-2018-069
\Drupal\Core\Mail\Plugin\Mail\PhpMail::_isShellSafe()
1 call to HtmlMailSystem::isShellSafe()
- HtmlMailSystem::mail in src/
Plugin/ Mail/ HtmlMailSystem.php - Send an email message.
File
- src/
Plugin/ Mail/ HtmlMailSystem.php, line 471
Class
- HtmlMailSystem
- Modify the Drupal mail system to use HTML Mail when sending emails.
Namespace
Drupal\htmlmail\Plugin\MailCode
protected static function isShellSafe($string) {
if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), [
"'{$string}'",
"\"{$string}\"",
])) {
return FALSE;
}
if (preg_match('/[^a-zA-Z0-9@_\\-.]/', $string) !== 0) {
return FALSE;
}
return TRUE;
}