Disable rsh/ssh functionality in imap by default (bug #77153)

diff --git a/NEWS b/NEWS
index 52b3c1c32940cfbdfef0358cd9b1e0a00d3ddf91..7e00a9a2bd077dfd9fd90c7d6e5172652ef2fc2a 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,10 @@ PHP                                                                        NEWS
   . Fixed bug #77147 (Fixing 60494 ignored ICONV_MIME_DECODE_CONTINUE_ON_ERROR).
     (cmb)
 
+- IMAP:
+  . Fixed bug #77153 (imap_open allows to run arbitrary shell commands via
+    mailbox parameter). (Stas)
+
 - ODBC:
   . Fixed bug #77079 (odbc_fetch_object has incorrect type signature).
     (Jon Allen)

diff --git a/UPGRADING b/UPGRADING
index 5919bc19649f921c0201f030b417d96f3f5131d8..8821f9eb7dd081ec960d676e52349f08f89537a9 100644 (file)
--- a/UPGRADING
+++ b/UPGRADING
@@ -146,6 +146,13 @@ PHP 7.1 UPGRADE NOTES
     aligned, which causes slightly different behavior than before for some
     pathological cases.
 
+- IMAP:
+  Starting with 7.1.25, rsh/ssh logins are disabled by default. Use
+  imap.enable_insecure_rsh if you want to enable them. Note that the IMAP
+  library does not filter mailbox names before passing them to rsh/ssh
+  command, thus passing untrusted data to this function with rsh/ssh enabled
+  is insecure.
+
 ========================================
 2. New Features
 ========================================

diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index 9a5e6e84a7188aff8c7a4b54c880d847183e174c..1062f72a440d214090a6a74b4b94ff6c6388eca6 100644 (file)
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -562,6 +562,15 @@ static const zend_module_dep imap_deps[] = {
 };
 /* }}} */
 
+
+/* {{{ PHP_INI
+ */
+PHP_INI_BEGIN()
+STD_PHP_INI_BOOLEAN("imap.enable_insecure_rsh", "0", PHP_INI_SYSTEM, OnUpdateBool, enable_rsh, zend_imap_globals, imap_globals)
+PHP_INI_END()
+/* }}} */
+
+
 /* {{{ imap_module_entry
  */
 zend_module_entry imap_module_entry = {
@@ -832,6 +841,8 @@ PHP_MINIT_FUNCTION(imap)
 {
        unsigned long sa_all =  SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY;
 
+       REGISTER_INI_ENTRIES();
+
 #ifndef PHP_WIN32
        mail_link(&unixdriver);         /* link in the unix driver */
        mail_link(&mhdriver);           /* link in the mh driver */
@@ -1049,6 +1060,12 @@ PHP_MINIT_FUNCTION(imap)
        GC_TEXTS               texts
        */
 
+       if (!IMAPG(enable_rsh)) {
+               /* disable SSH and RSH, see https://bugs.php.net/bug.php?id=77153 */
+               mail_parameters (NIL, SET_RSHTIMEOUT, 0);
+               mail_parameters (NIL, SET_SSHTIMEOUT, 0);
+       }
+
        le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number);
        return SUCCESS;
 }

diff --git a/ext/imap/php_imap.h b/ext/imap/php_imap.h
index 3b3cdbaed5f9d8a13e03e23dfad0355b9ce78d98..5aa7469099229aacb5bf41ed24359e2e052526a2 100644 (file)
--- a/ext/imap/php_imap.h
+++ b/ext/imap/php_imap.h
@@ -216,6 +216,7 @@ ZEND_BEGIN_MODULE_GLOBALS(imap)
 #endif
        /* php_stream for php_mail_gets() */
        php_stream *gets_stream;
+       zend_bool enable_rsh;
 ZEND_END_MODULE_GLOBALS(imap)
 
 #ifdef ZTS

diff --git a/ext/imap/tests/bug77153.phpt b/ext/imap/tests/bug77153.phpt
new file mode 100644 (file)
index 0000000..63590ae
--- /dev/null
+++ b/ext/imap/tests/bug77153.phpt
@@ -0,0 +1,24 @@
+--TEST--                                 
+Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter)
+--SKIPIF--
+<?php
+        if (!extension_loaded("imap")) { 
+                die("skip imap extension not available");  
+        }
+?>
+--FILE--
+<?php
+$payload = "echo 'BUG'> " . __DIR__ . '/__bug';
+$payloadb64 = base64_encode($payload);
+$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}";
+@imap_open('{'.$server.':143/imap}INBOX', '', '');
+// clean
+imap_errors();
+var_dump(file_exists(__DIR__ . '/__bug'));
+?>
+--EXPECT--
+bool(false)
+--CLEAN--
+<?php
+if(file_exists(__DIR__ . '/__bug')) unlink(__DIR__ . '/__bug');
+?>
\ No newline at end of file