function PhpMail::_isShellSafe

Same name in other branches
  1. 9 core/lib/Drupal/Core/Mail/Plugin/Mail/PhpMail.php \Drupal\Core\Mail\Plugin\Mail\PhpMail::_isShellSafe()
  2. 8.9.x core/lib/Drupal/Core/Mail/Plugin/Mail/PhpMail.php \Drupal\Core\Mail\Plugin\Mail\PhpMail::_isShellSafe()
  3. 11.x core/lib/Drupal/Core/Mail/Plugin/Mail/PhpMail.php \Drupal\Core\Mail\Plugin\Mail\PhpMail::_isShellSafe()

Disallows potentially unsafe shell characters.

Functionally similar to PHPMailer::isShellSafe() which resulted from CVE-2016-10045. Note that escapeshellarg and escapeshellcmd are inadequate for this purpose.

@todo Rename to ::isShellSafe() and/or discuss whether this is the correct location for this helper.

Parameters

string $string: The string to be validated.

Return value

bool True if the string is shell-safe.

See also

https://github.com/PHPMailer/PHPMailer/issues/924

https://github.com/PHPMailer/PHPMailer/blob/v5.2.21/class.phpmailer.php…

1 call to PhpMail::_isShellSafe()
PhpMail::mail in core/lib/Drupal/Core/Mail/Plugin/Mail/PhpMail.php
Sends an email message.

File

core/lib/Drupal/Core/Mail/Plugin/Mail/PhpMail.php, line 197

Class

PhpMail
Defines the default Drupal mail backend, using PHP's native mail() function.

Namespace

Drupal\Core\Mail\Plugin\Mail

Code

protected static function _isShellSafe($string) {
    if (escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), [
        "'{$string}'",
        "\"{$string}\"",
    ])) {
        return FALSE;
    }
    if (preg_match('/[^a-zA-Z0-9@_\\-.]/', $string) !== 0) {
        return FALSE;
    }
    return TRUE;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.