PHPMailer\PHPMailer
PHPMailer::isShellSafe()
Fix CVE-2016-10033 and CVE-2016-10045 by disallowing potentially unsafe shell characters. Note that escapeshellarg and escapeshellcmd are inadequate for our purposes, especially on Windows.
Метод класса: PHPMailer{}
Хуков нет.
Возвращает
true|false
.
Использование
$result = PHPMailer::isShellSafe( $string );
- $string(строка) (обязательный)
- The string to be validated
Заметки
- Смотрите: https://github.com/PHPMailer/PHPMailer/issues/924 CVE-2016-10045 bug report
Код PHPMailer::isShellSafe() PHPMailer::isShellSafe WP 6.6.1
protected static function isShellSafe($string) { //It's not possible to use shell commands safely (which includes the mail() function) without escapeshellarg, //but some hosting providers disable it, creating a security problem that we don't want to have to deal with, //so we don't. if (!function_exists('escapeshellarg') || !function_exists('escapeshellcmd')) { return false; } if ( escapeshellcmd($string) !== $string || !in_array(escapeshellarg($string), ["'$string'", "\"$string\""]) ) { return false; } $length = strlen($string); for ($i = 0; $i < $length; ++$i) { $c = $string[$i]; //All other characters have a special meaning in at least one common shell, including = and +. //Full stop (.) has a special meaning in cmd.exe, but its impact should be negligible here. //Note that this does permit non-Latin alphanumeric characters based on the current locale. if (!ctype_alnum($c) && strpos('@_-.', $c) === false) { return false; } } return true; }