This issue is to rename a method in HTMLMailSystem:

-  protected static function _isShellSafe($string) {
+  protected static function isShellSafe($string) {

Leading underscores to indicate a "private" function are not needed and not wanted - the method visibility (and not a naming convention) should be used to control access to the method.

This also addresses a @todo in the code and fixes one of the last remaining coding standards problems with this module.

CommentFileSizeAuthor
#8 3167272-8-is-shell-safe.patch1.75 KBsalvis
#2 3167272-2-is-shell-safe.patch1.86 KBtr

Comments

TR created an issue. See original summary.

tr’s picture

tr commented
Status: Active » Needs review
StatusFileSize
new 3167272-2-is-shell-safe.patch1.86 KB
tr’s picture

tr commented
Issue summary: View changes
tr’s picture

tr commented
Issue summary: View changes

  • TR committed 6365635 on 8.x-3.x 
    Issue #3167272 by TR: Rename HTMLMailSystem::_isShellSafe()
  • TR committed 9c5543b on 8.x-3.x
    Issue #3167272 by TR: Rename HTMLMailSystem::_isShellSafe()
tr’s picture

tr commented
Status: Needs review » Fixed

Committed. Commit 6365635 actually belongs to #3163507: file_scan_directory() is deprecated, but I wrote the wrong commit message which is why it shows up here.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

salvis’s picture

salvis
he/his
commented
Status: Closed (fixed) » Needs review
StatusFileSize
new 3167272-8-is-shell-safe.patch1.75 KB

The ToDo

   * @todo Rename to ::isShellSafe() and/or discuss whether this is the correct
   *   location for this helper.

was copied from Core and is still there. I agree that it was a bit confusing to see it here.

The method moved to the PhpMail class, but its name in Core still has an underscore. If you want to get rid of the underscore, that's fine, but then we have to make an extra effort to keep the link to Core, because this is a security issue.

Let's use getDefaultFromMail() though, to keep $site_mail consistent.

  • salvis committed 0687ce3 on 8.x-3.x 
    Issue #3167272 by salvis: Rename HTMLMailSystem::_isShellSafe().
salvis’s picture

salvis
he/his
commented
Status: Needs review » Fixed
tr’s picture

tr commented

Good point. Thanks for catching that.

PhpMail::_isShellSafe() is the core method, but we're not overriding that here or extending/using PhpMail in any way. It is a static function, however, so perhaps we should just call that PhpMail method here instead of using a copy of its code? Oh, but we can't because it's protected ...

I think now I understand the comment better - it makes no sense to have this protected static method in PhpMail, it should probably be a public static method in the core MailFormatHelper. Perhaps we should take a step in that direction and move our copy of isShellSafe() into HtmlMailHelper?

salvis’s picture

salvis
he/his
commented

Yes, it would be really, really nice to be able to call that function in Core, not just for HTML Mail but also for a bunch of other contribs. I've tried to get it public in s.d.o, but I was told we wanted to minimize changes to public interfaces in security issues. I agree with the general idea, but the damage of leaving behind this mess is much greater than the one of adding a simple function.

Perhaps we should take a step in that direction and move our copy of isShellSafe() into HtmlMailHelper?

I doubt we can make a lasting impression with a purely symbolic act like this. :-)

I put it into HtmlMailSystem at the time because that was the only place where it's used. Keeping the security issue in a single file and not disturbing the history by moving things has its advantages, too.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.