summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2018-11-29 00:47:07 +0100
committerChristoph M. Becker <cmbecker69@gmx.de>2018-12-03 14:36:45 +0100
commit3a144d3f7f6bad308e2bf112ebf16829eb298f20 (patch)
tree3b7b5946292ac0c04bd64e14a484edd65d1a76cc
parentbf36d811f15f0618b3a5f711bf6654bd088a0071 (diff)
downloadphp-git-3a144d3f7f6bad308e2bf112ebf16829eb298f20.tar.gz
Disable rsh/ssh functionality in imap by default (bug #77153)
(cherry picked from commit 05782f01f5d179187798551e901d06d2c621bdae) (cherry picked from commit 3f165e8ca3dd8914e50dfebdd48a75a4027f0058)
Diffstat
-rw-r--r--ext/imap/php_imap.c19
-rw-r--r--ext/imap/php_imap.h1
-rw-r--r--ext/imap/tests/bug77153.phpt24
3 files changed, 44 insertions, 0 deletions
diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index 5fa32df2bc..9e626a4cfa 100644
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -561,6 +561,15 @@ static const zend_module_dep imap_deps[] = {
};
/* }}} */
+
+/* {{{ PHP_INI
+ */
+PHP_INI_BEGIN()
+STD_PHP_INI_BOOLEAN("imap.enable_insecure_rsh", "0", PHP_INI_SYSTEM, OnUpdateBool, enable_rsh, zend_imap_globals, imap_globals)
+PHP_INI_END()
+/* }}} */
+
+
/* {{{ imap_module_entry
*/
zend_module_entry imap_module_entry = {
@@ -831,6 +840,8 @@ PHP_MINIT_FUNCTION(imap)
{
unsigned long sa_all = SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY;
+ REGISTER_INI_ENTRIES();
+
#ifndef PHP_WIN32
mail_link(&unixdriver); /* link in the unix driver */
mail_link(&mhdriver); /* link in the mh driver */
@@ -1048,6 +1059,12 @@ PHP_MINIT_FUNCTION(imap)
GC_TEXTS texts
*/
+ if (!IMAPG(enable_rsh)) {
+ /* disable SSH and RSH, see https://bugs.php.net/bug.php?id=77153 */
+ mail_parameters (NIL, SET_RSHTIMEOUT, 0);
+ mail_parameters (NIL, SET_SSHTIMEOUT, 0);
+ }
+
le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number);
return SUCCESS;
}
@@ -1135,6 +1152,8 @@ PHP_MINFO_FUNCTION(imap)
php_info_print_table_row(2, "Kerberos Support", "enabled");
#endif
php_info_print_table_end();
+
+ DISPLAY_INI_ENTRIES();
}
/* }}} */
diff --git a/ext/imap/php_imap.h b/ext/imap/php_imap.h
index 1a086c4ea3..6e5cfdb31c 100644
--- a/ext/imap/php_imap.h
+++ b/ext/imap/php_imap.h
@@ -229,6 +229,7 @@ ZEND_BEGIN_MODULE_GLOBALS(imap)
#endif
/* php_stream for php_mail_gets() */
php_stream *gets_stream;
+ zend_bool enable_rsh;
ZEND_END_MODULE_GLOBALS(imap)
#ifdef ZTS
diff --git a/ext/imap/tests/bug77153.phpt b/ext/imap/tests/bug77153.phpt
new file mode 100644
index 0000000000..63590aee1d
--- /dev/null
+++ b/ext/imap/tests/bug77153.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter)
+--SKIPIF--
+<?php
+ if (!extension_loaded("imap")) {
+ die("skip imap extension not available");
+ }
+?>
+--FILE--
+<?php
+$payload = "echo 'BUG'> " . __DIR__ . '/__bug';
+$payloadb64 = base64_encode($payload);
+$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}";
+@imap_open('{'.$server.':143/imap}INBOX', '', '');
+// clean
+imap_errors();
+var_dump(file_exists(__DIR__ . '/__bug'));
+?>
+--EXPECT--
+bool(false)
+--CLEAN--
+<?php
+if(file_exists(__DIR__ . '/__bug')) unlink(__DIR__ . '/__bug');
+?> \ No newline at end of file
View Lorry Controller Status