E107 check remote servers when validating email addresses washingtonian dating diaries
PHPMailer (not core php) apparently either calls php's popen(), which passes to the shell..calls php's mail(), which uses popen().
There are other options in php, like proc_open(), but they also call /bin/sh.
In those cases, it really isn't a good idea to send mail in-process anyway due to web-process and SMTP timeouts.
Queueing messages with something like Gearman or some other job handler would be a more secure and performant approach.
It looks like better documentation could have prevented this bug. Barring user-submitted comments, PHP has consistently had some of the most complete programming language documentation.
This exact issue is specifically documented with the mail() function so I'm not sure you can blame PHP or ask for better documentation in this case:"This parameter is escaped by escapeshellcmd() internally to prevent command execution.
escapeshellcmd() prevents command execution, but allows to add additional parameters.
For security reasons, it is recommended for the user to sanitize this parameter to avoid adding unwanted parameters to the shell command."Escaping too many times or incorrectly is a pretty common error but it's normally of the PEBKAC variety. - Why is it possible to do command execution in a mailer at all???
4) Please do not use this method to continuously to check for availability of gmail / yahoo / msn accounts etc as this may cause your IP to be added to a blacklist.So, instead of: With the result passed to sendmail via the underlying functions, not relying on the shell to separate options for you.Any sort of user-supplied data should be parameterized and treated differently than data you provide.That's true, but it doesn't typically work out of the box.Postfix on debian and ubuntu, for example, won't allow relay through localhost....unless it's sasl authenticated, which requires work.
We have all been doing email address validation for a very long time to make sure that the email is correctly formatted.