archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Disable rsh/ssh functionality in imap by default (bug #77153)

Browse source
This commit is contained in:
Stanislav Malyshev 2018-11-18 17:10:43 -08:00
parent cba6055cac
commit 628df47e79
5 changed files with 52 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
NEWS
View file

@ -2,7 +2,9 @@ PHP NEWS
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2018 PHP 7.0.33 ?? ??? 2018 PHP 7.0.33
- IMAP:
. Fixed bug #77153 (imap_open allows to run arbitrary shell commands via
mailbox parameter). (Stas)
13 Sep 2018 PHP 7.0.32 13 Sep 2018 PHP 7.0.32

7
UPGRADING
View file

@ -526,6 +526,13 @@ Other
. Removed xsl.security_prefs ini option. Use XsltProcessor::setSecurityPrefs() . Removed xsl.security_prefs ini option. Use XsltProcessor::setSecurityPrefs()
instead. instead.
- IMAP:
Starting with 7.0.33, rsh/ssh logins are disabled by default. Use
imap.enable_insecure_rsh if you want to enable them. Note that the IMAP
library does not filter mailbox names before passing them to rsh/ssh
command, thus passing untrusted data to this function with rsh/ssh enabled
is insecure.
======================================== ========================================
2. New Features 2. New Features
======================================== ========================================

17
ext/imap/php_imap.c
View file

@ -562,6 +562,15 @@ static const zend_module_dep imap_deps[] = {
}; };
/* }}} */ /* }}} */
/* {{{ PHP_INI
*/
PHP_INI_BEGIN()
STD_PHP_INI_BOOLEAN("imap.enable_insecure_rsh", "0", PHP_INI_SYSTEM, OnUpdateBool, enable_rsh, zend_imap_globals, imap_globals)
PHP_INI_END()
/* }}} */
/* {{{ imap_module_entry /* {{{ imap_module_entry
*/ */
zend_module_entry imap_module_entry = { zend_module_entry imap_module_entry = {
@ -832,6 +841,8 @@ PHP_MINIT_FUNCTION(imap)
{ {
unsigned long sa_all = SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY; unsigned long sa_all = SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY;
REGISTER_INI_ENTRIES();
#ifndef PHP_WIN32 #ifndef PHP_WIN32
mail_link(&unixdriver); /* link in the unix driver */ mail_link(&unixdriver); /* link in the unix driver */
mail_link(&mhdriver); /* link in the mh driver */ mail_link(&mhdriver); /* link in the mh driver */
@ -1049,6 +1060,12 @@ PHP_MINIT_FUNCTION(imap)
GC_TEXTS texts GC_TEXTS texts
*/ */
if (!IMAPG(enable_rsh)) {
/* disable SSH and RSH, see https://bugs.php.net/bug.php?id=77153 */
mail_parameters (NIL, SET_RSHTIMEOUT, 0);
mail_parameters (NIL, SET_SSHTIMEOUT, 0);
}
le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number); le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number);
return SUCCESS; return SUCCESS;
} }

1
ext/imap/php_imap.h
View file

@ -216,6 +216,7 @@ ZEND_BEGIN_MODULE_GLOBALS(imap)
#endif #endif
/* php_stream for php_mail_gets() */ /* php_stream for php_mail_gets() */
php_stream *gets_stream; php_stream *gets_stream;
zend_bool enable_rsh;
ZEND_END_MODULE_GLOBALS(imap) ZEND_END_MODULE_GLOBALS(imap)
#ifdef ZTS #ifdef ZTS

24
ext/imap/tests/bug77153.phpt Normal file
View file

@ -0,0 +1,24 @@
--TEST--
Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter)
--SKIPIF--
<?php
if (!extension_loaded("imap")) {
die("skip imap extension not available");
}
?>
--FILE--
<?php
$payload = "echo 'BUG'> " . __DIR__ . '/__bug';
$payloadb64 = base64_encode($payload);
$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}";
@imap_open('{'.$server.':143/imap}INBOX', '', '');
// clean
imap_errors();
var_dump(file_exists(__DIR__ . '/__bug'));
?>
--EXPECT--
bool(false)
--CLEAN--
<?php
if(file_exists(__DIR__ . '/__bug')) unlink(__DIR__ . '/__bug');
?>