diff options
author | Stanislav Malyshev <stas@php.net> | 2018-11-29 00:47:07 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2018-12-03 14:36:45 +0100 |
commit | 3a144d3f7f6bad308e2bf112ebf16829eb298f20 (patch) | |
tree | 3b7b5946292ac0c04bd64e14a484edd65d1a76cc | |
parent | bf36d811f15f0618b3a5f711bf6654bd088a0071 (diff) | |
download | php-git-3a144d3f7f6bad308e2bf112ebf16829eb298f20.tar.gz |
Disable rsh/ssh functionality in imap by default (bug #77153)
(cherry picked from commit 05782f01f5d179187798551e901d06d2c621bdae)
(cherry picked from commit 3f165e8ca3dd8914e50dfebdd48a75a4027f0058)
-rw-r--r-- | ext/imap/php_imap.c | 19 | ||||
-rw-r--r-- | ext/imap/php_imap.h | 1 | ||||
-rw-r--r-- | ext/imap/tests/bug77153.phpt | 24 |
3 files changed, 44 insertions, 0 deletions
diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index 5fa32df2bc..9e626a4cfa 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -561,6 +561,15 @@ static const zend_module_dep imap_deps[] = { }; /* }}} */ + +/* {{{ PHP_INI + */ +PHP_INI_BEGIN() +STD_PHP_INI_BOOLEAN("imap.enable_insecure_rsh", "0", PHP_INI_SYSTEM, OnUpdateBool, enable_rsh, zend_imap_globals, imap_globals) +PHP_INI_END() +/* }}} */ + + /* {{{ imap_module_entry */ zend_module_entry imap_module_entry = { @@ -831,6 +840,8 @@ PHP_MINIT_FUNCTION(imap) { unsigned long sa_all = SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY; + REGISTER_INI_ENTRIES(); + #ifndef PHP_WIN32 mail_link(&unixdriver); /* link in the unix driver */ mail_link(&mhdriver); /* link in the mh driver */ @@ -1048,6 +1059,12 @@ PHP_MINIT_FUNCTION(imap) GC_TEXTS texts */ + if (!IMAPG(enable_rsh)) { + /* disable SSH and RSH, see https://bugs.php.net/bug.php?id=77153 */ + mail_parameters (NIL, SET_RSHTIMEOUT, 0); + mail_parameters (NIL, SET_SSHTIMEOUT, 0); + } + le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number); return SUCCESS; } @@ -1135,6 +1152,8 @@ PHP_MINFO_FUNCTION(imap) php_info_print_table_row(2, "Kerberos Support", "enabled"); #endif php_info_print_table_end(); + + DISPLAY_INI_ENTRIES(); } /* }}} */ diff --git a/ext/imap/php_imap.h b/ext/imap/php_imap.h index 1a086c4ea3..6e5cfdb31c 100644 --- a/ext/imap/php_imap.h +++ b/ext/imap/php_imap.h @@ -229,6 +229,7 @@ ZEND_BEGIN_MODULE_GLOBALS(imap) #endif /* php_stream for php_mail_gets() */ php_stream *gets_stream; + zend_bool enable_rsh; ZEND_END_MODULE_GLOBALS(imap) #ifdef ZTS diff --git a/ext/imap/tests/bug77153.phpt b/ext/imap/tests/bug77153.phpt new file mode 100644 index 0000000000..63590aee1d --- /dev/null +++ b/ext/imap/tests/bug77153.phpt @@ -0,0 +1,24 @@ +--TEST-- +Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter) +--SKIPIF-- +<?php + if (!extension_loaded("imap")) { + die("skip imap extension not available"); + } +?> +--FILE-- +<?php +$payload = "echo 'BUG'> " . __DIR__ . '/__bug'; +$payloadb64 = base64_encode($payload); +$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}"; +@imap_open('{'.$server.':143/imap}INBOX', '', ''); +// clean +imap_errors(); +var_dump(file_exists(__DIR__ . '/__bug')); +?> +--EXPECT-- +bool(false) +--CLEAN-- +<?php +if(file_exists(__DIR__ . '/__bug')) unlink(__DIR__ . '/__bug'); +?>
\ No newline at end of file |