I was reading https://blog.ripstech.com/2016/roundcube-command-execution-via-email/ . We don't do escaping of the fifth argument to mail() either. Our sanitation functions should prevent any evil mail addresses (Possibly someone could make something evil using the ! character, but its not clear if that is possible), but we should also just escape that similar to any other shell command.
Its somewhat complicated by the fact php does its own totally messed up escaping, so we can't just use wfEscapeShellArg.
For reference, line 409 of includes/mail/UserMailer.php