PHPMailer\PHPMailer
PHPMailer::isShellSafe
Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters. Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
Method of the class: PHPMailer{}
No Hooks.
Returns
true|false.
Usage
$result = PHPMailer::isShellSafe( $string );
- $string(string) (required)
- The string to be validated.
Notes
- See: https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
PHPMailer::isShellSafe() PHPMailer::isShellSafe code WP 6.9.1
protected static function isShellSafe($string)
{
//It's not possible to use shell commands safely (which includes the mail() function) without escapeshellarg,
//but some hosting providers disable it, creating a security problem that we don't want to have to deal with,
//so we don't.
if (!function_exists('escapeshellarg') || !function_exists('escapeshellcmd')) {
return false;
}
if (
escapeshellcmd($string) !== $string
|| !in_array(escapeshellarg($string), ["'$string'", "\"$string\""])
) {
return false;
}
$length = strlen($string);
for ($i = 0; $i < $length; ++$i) {
$c = $string[$i];
//All other characters have a special meaning in at least one common shell, including = and +.
//Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
//Note that this does permit non-Latin alphanumeric characters based on the current locale.
if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
return false;
}
}
return true;
}