mirror of
https://github.com/PHPMailer/PHPMailer.git
synced 2024-09-20 01:52:15 +02:00
Restrict shell-based mailers if we can't use them safely, fixes #966
This commit is contained in:
parent
7e1da4fae3
commit
7ac1bd3ac0
@ -1,5 +1,8 @@
|
||||
# PHPMailer Change Log
|
||||
|
||||
## WIP
|
||||
* If we can't use escaping functions, refuse to do unsafe things
|
||||
|
||||
## Version 6.5.3 (November 25th, 2021)
|
||||
* Wrong commit tagged for the 6.5.2 release!
|
||||
* Version file updated
|
||||
|
@ -1798,7 +1798,13 @@ class PHPMailer
|
||||
*/
|
||||
protected static function isShellSafe($string)
|
||||
{
|
||||
//Future-proof
|
||||
//It's not possible to use shell commands safely (which includes the mail() function) without escapeshellarg,
|
||||
//but some hosting providers disable it, creating a security problem that we don't want to have to deal with,
|
||||
//so we don't.
|
||||
if (!function_exists('escapeshellarg') || !function_exists('escapeshellcmd')) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (
|
||||
escapeshellcmd($string) !== $string
|
||||
|| !in_array(escapeshellarg($string), ["'$string'", "\"$string\""])
|
||||
|
Loading…
Reference in New Issue
Block a user