From 05782f01f5d179187798551e901d06d2c621bdae Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 18 Nov 2018 17:10:43 -0800 Subject: [PATCH 1/2] Disable rsh/ssh functionality in imap by default (bug #77153) --- NEWS | 4 ++++ UPGRADING | 7 +++++++ ext/imap/php_imap.c | 17 +++++++++++++++++ ext/imap/php_imap.h | 1 + ext/imap/tests/bug77153.phpt | 24 ++++++++++++++++++++++++ 5 files changed, 53 insertions(+) create mode 100644 ext/imap/tests/bug77153.phpt diff --git a/NEWS b/NEWS index 52b3c1c3294..7e00a9a2bd0 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,10 @@ PHP NEWS . Fixed bug #77147 (Fixing 60494 ignored ICONV_MIME_DECODE_CONTINUE_ON_ERROR). (cmb) +- IMAP: + . Fixed bug #77153 (imap_open allows to run arbitrary shell commands via + mailbox parameter). (Stas) + - ODBC: . Fixed bug #77079 (odbc_fetch_object has incorrect type signature). (Jon Allen) diff --git a/UPGRADING b/UPGRADING index 5919bc19649..8821f9eb7dd 100644 --- a/UPGRADING +++ b/UPGRADING @@ -146,6 +146,13 @@ PHP 7.1 UPGRADE NOTES aligned, which causes slightly different behavior than before for some pathological cases. +- IMAP: + Starting with 7.1.25, rsh/ssh logins are disabled by default. Use + imap.enable_insecure_rsh if you want to enable them. Note that the IMAP + library does not filter mailbox names before passing them to rsh/ssh + command, thus passing untrusted data to this function with rsh/ssh enabled + is insecure. + ======================================== 2. New Features ======================================== diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index 9a5e6e84a71..1062f72a440 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -562,6 +562,15 @@ static const zend_module_dep imap_deps[] = { }; /* }}} */ + +/* {{{ PHP_INI + */ +PHP_INI_BEGIN() +STD_PHP_INI_BOOLEAN("imap.enable_insecure_rsh", "0", PHP_INI_SYSTEM, OnUpdateBool, enable_rsh, zend_imap_globals, imap_globals) +PHP_INI_END() +/* }}} */ + + /* {{{ imap_module_entry */ zend_module_entry imap_module_entry = { @@ -832,6 +841,8 @@ PHP_MINIT_FUNCTION(imap) { unsigned long sa_all = SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY; + REGISTER_INI_ENTRIES(); + #ifndef PHP_WIN32 mail_link(&unixdriver); /* link in the unix driver */ mail_link(&mhdriver); /* link in the mh driver */ @@ -1049,6 +1060,12 @@ PHP_MINIT_FUNCTION(imap) GC_TEXTS texts */ + if (!IMAPG(enable_rsh)) { + /* disable SSH and RSH, see https://bugs.php.net/bug.php?id=77153 */ + mail_parameters (NIL, SET_RSHTIMEOUT, 0); + mail_parameters (NIL, SET_SSHTIMEOUT, 0); + } + le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number); return SUCCESS; } diff --git a/ext/imap/php_imap.h b/ext/imap/php_imap.h index 3b3cdbaed5f..5aa74690992 100644 --- a/ext/imap/php_imap.h +++ b/ext/imap/php_imap.h @@ -216,6 +216,7 @@ ZEND_BEGIN_MODULE_GLOBALS(imap) #endif /* php_stream for php_mail_gets() */ php_stream *gets_stream; + zend_bool enable_rsh; ZEND_END_MODULE_GLOBALS(imap) #ifdef ZTS diff --git a/ext/imap/tests/bug77153.phpt b/ext/imap/tests/bug77153.phpt new file mode 100644 index 00000000000..63590aee1dd --- /dev/null +++ b/ext/imap/tests/bug77153.phpt @@ -0,0 +1,24 @@ +--TEST-- +Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter) +--SKIPIF-- + +--FILE-- + " . __DIR__ . '/__bug'; +$payloadb64 = base64_encode($payload); +$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}"; +@imap_open('{'.$server.':143/imap}INBOX', '', ''); +// clean +imap_errors(); +var_dump(file_exists(__DIR__ . '/__bug')); +?> +--EXPECT-- +bool(false) +--CLEAN-- + \ No newline at end of file From 11ddf7669a58969ad9101032ce891b951819b3e1 Mon Sep 17 00:00:00 2001 From: "Valentin V. Bartenev" Date: Tue, 20 Nov 2018 18:48:06 +0300 Subject: [PATCH 2/2] Fix bug #71041 dynamic embed SAPI load error If the library is built with ZEND_SIGNALS defined, it's unusable with an external SAPI module because the zend_signal_startup() call is mandatory in this case. This bug is similar to #74149, but related to dynamic loading of PHP library. --- NEWS | 4 ++++ Zend/zend_signal.c | 2 +- Zend/zend_signal.h | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 7e00a9a2bd0..11e27b84d36 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2018, PHP 7.1.25 +- Core: + . Fixed bug #71041 (zend_signal_startup() needs ZEND_API). + (Valentin V. Bartenev) + - ftp: . Fixed bug #77151 (ftp_close(): SSL_read on shutdown). (Remi) diff --git a/Zend/zend_signal.c b/Zend/zend_signal.c index 24d454d7391..63076209bf0 100644 --- a/Zend/zend_signal.c +++ b/Zend/zend_signal.c @@ -399,7 +399,7 @@ void zend_signal_init(void) /* {{{ */ /* {{{ zend_signal_startup * alloc zend signal globals */ -void zend_signal_startup(void) +ZEND_API void zend_signal_startup(void) { #ifdef ZTS diff --git a/Zend/zend_signal.h b/Zend/zend_signal.h index e8ee7d6db0d..462d06f4647 100644 --- a/Zend/zend_signal.h +++ b/Zend/zend_signal.h @@ -89,7 +89,7 @@ ZEND_API void zend_signal_handler_unblock(void); void zend_signal_activate(void); void zend_signal_deactivate(void); BEGIN_EXTERN_C() -void zend_signal_startup(void); +ZEND_API void zend_signal_startup(void); END_EXTERN_C() void zend_signal_init(void);