Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
  Disable rsh/ssh functionality in imap by default (bug #77153)

2 files changed, 10 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 2a91ef2cba..b97fe025ea 100644
--- a/NEWS
+++ b/NEWS
@@ -15,6 +15,10 @@ PHP                                                                        NEWS
   . Fixed bug #77147 (Fixing 60494 ignored ICONV_MIME_DECODE_CONTINUE_ON_ERROR).
     (cmb)
 
+- IMAP:
+  . Fixed bug #77153 (imap_open allows to run arbitrary shell commands via
+    mailbox parameter). (Stas)
+
 - MBstring:
   . Fixed bug #77165 (mb_check_encoding crashes when argument given an empty
     array). (Nikita)
diff --git a/UPGRADING b/UPGRADING
index 8df033036a..bef3d3056b 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -112,6 +112,12 @@ BCMath:
   . bcmul() and bcpow() now return numbers with the requested scale. Formerly,
     the returned numbers may have omitted trailing decimal zeroes.
 
+IMAP:
+  rsh/ssh logins are disabled by default. Use imap.enable_insecure_rsh if you want
+  to enable them. Note that the IMAP library does not filter mailbox names before
+  passing them to rsh/ssh command, thus passing untrusted data to this function
+  with rsh/ssh enabled is insecure.
+
 MBString:
   . Due to added support for named captures, mb_ereg_*() patterns using named
     captures will behave differently. In particular named captures will be part