Restrict shell-based mailers if we can't use them safely, fixes #966

2024-09-20 01:52:15 +02:00 · 2022-02-16 17:32:49 +01:00 · 2022-02-16 17:32:49 +01:00 · 7ac1bd3ac0
commit 7ac1bd3ac0
parent 7e1da4fae3
2 changed files with 10 additions and 1 deletions
--- a/changelog.md
+++ b/changelog.md
@ -1,5 +1,8 @@
 # PHPMailer Change Log

+## WIP
+* If we can't use escaping functions, refuse to do unsafe things
+
 ## Version 6.5.3 (November 25th, 2021)
 * Wrong commit tagged for the 6.5.2 release!
 * Version file updated
--- a/src/PHPMailer.php
+++ b/src/PHPMailer.php
@ -1798,7 +1798,13 @@ class PHPMailer
     */
    protected static function isShellSafe($string)
    {
-        //Future-proof
+        //It's not possible to use shell commands safely (which includes the mail() function) without escapeshellarg,
+        //but some hosting providers disable it, creating a security problem that we don't want to have to deal with,
+        //so we don't.
+        if (!function_exists('escapeshellarg') || !function_exists('escapeshellcmd')) {
+            return false;
+        }
+
        if (
            escapeshellcmd($string) !== $string
            || !in_array(escapeshellarg($string), ["'$string'", "\"$string\""])