From 8db01f13809a92bac7bc95b02893175d7654d627 Mon Sep 17 00:00:00 2001
From: Andrey Andreev <narf@devilix.net>
Date: Thu, 1 Dec 2016 14:06:57 +0200
Subject: Fix #4844

---
 system/libraries/Email.php          | 2 +-
 user_guide_src/source/changelog.rst | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/system/libraries/Email.php b/system/libraries/Email.php
index 676bbcafb..2e6f5be90 100644
--- a/system/libraries/Email.php
+++ b/system/libraries/Email.php
@@ -1878,7 +1878,7 @@ class CI_Email {
 		// is popen() enabled?
 		if ( ! function_usable('popen')
 			OR FALSE === ($fp = @popen(
-						$this->mailpath.' -oi -f '.$this->clean_email($this->_headers['From']).' -t'
+						$this->mailpath.' -oi -f '.escapeshellarg($this->clean_email($this->_headers['From'])).' -t'
 						, 'w'))
 		) // server probably has popen disabled, so nothing we can do to get a verbose error.
 		{
diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst
index 0d8a93b54..4f5efe276 100644
--- a/user_guide_src/source/changelog.rst
+++ b/user_guide_src/source/changelog.rst
@@ -24,6 +24,7 @@ Bug fixes for 3.1.3
 -  Fixed a bug (#4917) - :doc:`Date Helper <helpers/date_helper>` function :php:func:`nice_date()` didn't handle YYYYMMDD inputs properly.
 -  Fixed a bug (#4923) - :doc:`Session Library <libraries/sessions>` could execute an erroneous SQL query with the 'database' driver, if the lock attempt times out.
 -  Fixed a bug (#4927) - :doc:`Output Library <libraries/output>` method ``get_header()`` returned the first matching header, regardless of whether it would be replaced by a second ``set_header()`` call.
+-  Fixed a bug (#4844) - :doc:`Email Library <libraries/email>` didn't apply ``escapeshellarg()`` to the while passing the Sendmail ``-f`` parameter through ``popen()``.
 
 Version 3.1.2
 =============
-- 
cgit v1.2.3-24-g4f1b