PHPMailer::isShellSafe()protected staticWP 1.0

Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters. Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.

Method of the class: PHPMailer{}

No Hooks.




$result = PHPMailer::isShellSafe( $string );
$string(string) (required)
The string to be validated


PHPMailer::isShellSafe() code WP 6.5.4

protected static function isShellSafe($string)
    //It's not possible to use shell commands safely (which includes the mail() function) without escapeshellarg,
    //but some hosting providers disable it, creating a security problem that we don't want to have to deal with,
    //so we don't.
    if (!function_exists('escapeshellarg') || !function_exists('escapeshellcmd')) {
        return false;

    if (
        escapeshellcmd($string) !== $string
        || !in_array(escapeshellarg($string), ["'$string'", "\"$string\""])
    ) {
        return false;

    $length = strlen($string);

    for ($i = 0; $i < $length; ++$i) {
        $c = $string[$i];

        //All other characters have a special meaning in at least one common shell, including = and +.
        //Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here.
        //Note that this does permit non-Latin alphanumeric characters based on the current locale.
        if (!ctype_alnum($c) && strpos('@_-.', $c) === false) {
            return false;

    return true;