From 7ac1bd3ac0fae8350f056f7cb0a1d36d8bfae977 Mon Sep 17 00:00:00 2001
From: Marcus Bointon <marcus@synchromedia.co.uk>
Date: Wed, 16 Feb 2022 17:32:49 +0100
Subject: [PATCH] Restrict shell-based mailers if we can't use them safely,
 fixes #966

---
 changelog.md      | 3 +++
 src/PHPMailer.php | 8 +++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/changelog.md b/changelog.md
index 116bea68..2ef5c459 100644
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,8 @@
 # PHPMailer Change Log
 
+## WIP
+* If we can't use escaping functions, refuse to do unsafe things
+
 ## Version 6.5.3 (November 25th, 2021)
 * Wrong commit tagged for the 6.5.2 release!
 * Version file updated
diff --git a/src/PHPMailer.php b/src/PHPMailer.php
index e1b0c88f..6130ce61 100644
--- a/src/PHPMailer.php
+++ b/src/PHPMailer.php
@@ -1798,7 +1798,13 @@ class PHPMailer
      */
     protected static function isShellSafe($string)
     {
-        //Future-proof
+        //It's not possible to use shell commands safely (which includes the mail() function) without escapeshellarg,
+        //but some hosting providers disable it, creating a security problem that we don't want to have to deal with,
+        //so we don't.
+        if (!function_exists('escapeshellarg') || !function_exists('escapeshellcmd')) {
+            return false;
+        }
+
         if (
             escapeshellcmd($string) !== $string
             || !in_array(escapeshellarg($string), ["'$string'", "\"$string\""])