[prev in list] [next in list] [prev in thread] [next in thread] 

List:       php-internals
Subject:    [PHP-DEV] patch for imap bug 77153
From:       Stanislav Malyshev <smalyshev () gmail ! com>
Date:       2018-11-20 19:45:51
Message-ID: 47dd2988-6fb2-0685-efa1-a58cb55e9ecb () gmail ! com
[Download RAW message or body]

Hi!

I've checked in the patch for https://bugs.php.net/bug.php?id=77153,
which disables by default rsh/ssh login functionality in IMAP. I assume
most people neither know such functionality existed nor need it, but
still it's a BC break. The reason why I did it is because IMAP library
does not validate mailbox parameters it sends to the underlying shell
commands, which creates all kinds of unpleasant security scenarios (see
bug for details).

Strictly speaking, such bug is a problem in the library, not PHP
wrapper, since all parsing and mailbox string handling is done inside
the library and it completely opaque to PHP. However, c-client library
has been essentially unsupported for many years (why we're using an
ancient unsupported library is a separate issue which we'd probably want
to address but let's not get distracted) so no fix is probably coming
from that direction. And since imap extension is used by a bunch of
tools and most are not aware underlying library has this vulnerability,
I think disabling this function is a right thing to do. More details in
the bug and in the UPGRADING note.

I've merged patch now since the issue is public (essentially has been
for a while, and was first submitted as
https://bugs.php.net/bug.php?id=76428 but at the time I haven't realized
c-client is not going to be fixed, which is my fault - should have
checked the status of this library). Despite it not being a PHP issue
per se, I think we may still want a CVE for it.

For RMs, please incorporate it into the next release. Maybe not that
urgent for PHP 7.3.0RC6 since it's not a production release anyway.

Please comment if you see any troubles or have any questions about the fix.
-- 
Stas Malyshev
smalyshev@gmail.com

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

[prev in list] [next in list] [prev in thread] [next in thread]