raven-rhel6/isp-php54/bug77153.patch

Backported for 5.4, from 5.6, by Remi


From e5bfea64c81ae34816479bb05d17cdffe45adddb Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 18 Nov 2018 17:10:43 -0800
Subject: [PATCH] Disable rsh/ssh functionality in imap by default (bug #77153)

---
 NEWS                         |  4 ++++
 UPGRADING                    |  7 +++++++
 ext/imap/php_imap.c          | 17 +++++++++++++++++
 ext/imap/php_imap.h          |  1 +
 ext/imap/tests/bug77153.phpt | 24 ++++++++++++++++++++++++
 5 files changed, 53 insertions(+)
 create mode 100644 ext/imap/tests/bug77153.phpt

diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index 00eae89a963b..f6feebe9f769 100644
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -562,6 +562,15 @@ static const zend_module_dep imap_deps[] = {
 };
 /* }}} */
 
+
+/* {{{ PHP_INI
+ */
+PHP_INI_BEGIN()
+STD_PHP_INI_BOOLEAN("imap.enable_insecure_rsh", "0", PHP_INI_SYSTEM, OnUpdateBool, enable_rsh, zend_imap_globals, imap_globals)
+PHP_INI_END()
+/* }}} */
+
+
 /* {{{ imap_module_entry
  */
 zend_module_entry imap_module_entry = {
@@ -835,6 +844,8 @@ PHP_MINIT_FUNCTION(imap)
 {
 	unsigned long sa_all =	SA_MESSAGES | SA_RECENT | SA_UNSEEN | SA_UIDNEXT | SA_UIDVALIDITY;
 
+	REGISTER_INI_ENTRIES();
+
 #ifndef PHP_WIN32
 	mail_link(&unixdriver);		/* link in the unix driver */
 	mail_link(&mhdriver);		/* link in the mh driver */
@@ -1052,6 +1063,12 @@ PHP_MINIT_FUNCTION(imap)
 	GC_TEXTS               texts
 	*/
 
+	if (!IMAPG(enable_rsh)) {
+		/* disable SSH and RSH, see https://bugs.php.net/bug.php?id=77153 */
+		mail_parameters (NIL, SET_RSHTIMEOUT, 0);
+		mail_parameters (NIL, SET_SSHTIMEOUT, 0);
+	}
+
 	le_imap = zend_register_list_destructors_ex(mail_close_it, NULL, "imap", module_number);
 	return SUCCESS;
 }
diff --git a/ext/imap/php_imap.h b/ext/imap/php_imap.h
index 3a1d048cd3e2..0c3ce78d4855 100644
--- a/ext/imap/php_imap.h
+++ b/ext/imap/php_imap.h
@@ -214,6 +214,7 @@ ZEND_BEGIN_MODULE_GLOBALS(imap)
 #endif
 	/* php_stream for php_mail_gets() */
 	php_stream *gets_stream;
+	zend_bool enable_rsh;
 ZEND_END_MODULE_GLOBALS(imap)
 
 #ifdef ZTS
diff --git a/ext/imap/tests/bug77153.phpt b/ext/imap/tests/bug77153.phpt
new file mode 100644
index 000000000000..63590aee1dde
--- /dev/null
+++ b/ext/imap/tests/bug77153.phpt
@@ -0,0 +1,24 @@
+--TEST--                                 
+Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter)
+--SKIPIF--
+<?php
+        if (!extension_loaded("imap")) { 
+                die("skip imap extension not available");  
+        }
+?>
+--FILE--
+<?php
+$payload = "echo 'BUG'> " . __DIR__ . '/__bug';
+$payloadb64 = base64_encode($payload);
+$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}";
+@imap_open('{'.$server.':143/imap}INBOX', '', '');
+// clean
+imap_errors();
+var_dump(file_exists(__DIR__ . '/__bug'));
+?>
+--EXPECT--
+bool(false)
+--CLEAN--
+<?php
+if(file_exists(__DIR__ . '/__bug')) unlink(__DIR__ . '/__bug');
+?>
\ No newline at end of file
From d8765852e0400ee2ce8ae9e2177c42731d4539d8 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Wed, 28 Nov 2018 15:45:51 -0800
Subject: [PATCH] Add DISPLAY_INI_ENTRIES for imap

---
 ext/imap/php_imap.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index f6feebe9f769..a23e84c08521 100644
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -1155,6 +1155,8 @@ PHP_MINFO_FUNCTION(imap)
 	php_info_print_table_row(2, "Kerberos Support", "enabled");
 #endif
 	php_info_print_table_end();
+
+	DISPLAY_INI_ENTRIES();
 }
 /* }}} */