Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103464
Return-Path: <smalyshev@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90378 invoked from network); 20 Nov 2018 23:23:57 -0000
Received: from unknown (HELO mail-pl1-f181.google.com) (209.85.214.181)
  by pb1.pair.com with SMTP; 20 Nov 2018 23:23:57 -0000
Received: by mail-pl1-f181.google.com with SMTP id u6so1803925plm.8
        for <internals@lists.php.net>; Tue, 20 Nov 2018 11:45:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=to:from:subject:openpgp:autocrypt:message-id:date:user-agent
         :mime-version:content-language:content-transfer-encoding;
        bh=pXwPe+aOdSJ618MH3Ppu5T3WsWAGuvv2nUjcrPnDugs=;
        b=s5eMsjOC38Met4MPjqcxwRZWk6VDRYFyFwHK2L7/t16PcDj5N9/1Oy7bzFum+//LqW
         tnAV8AXesWFF9qwmzTKeDZFb+JrZXNc3aNAz02AV6X1BZ8n/S9yHtUWRQvM+4LOIfx8Y
         5Pl9erVLIZTaODfAgG2vzjjI7lI50ESf+jr6s4lfylpXupFUZEgg3TK7Z31LkZ1WzQUU
         q1A/d71YVVjcRpPwq4YuNxQL0DxehEsMk4e8ozLTZ2ty3nkZISJJoKCcCsfI4vOwEaak
         3pmWMn8I16LeCoGXu64fioTYLNKgR8rO+xPNNw88bf4ioe2gNNZRDo52mq4nyevGJ7iV
         G5bA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:to:from:subject:openpgp:autocrypt:message-id
         :date:user-agent:mime-version:content-language
         :content-transfer-encoding;
        bh=pXwPe+aOdSJ618MH3Ppu5T3WsWAGuvv2nUjcrPnDugs=;
        b=cHsSIdFou0Rt05+IqOJrTug6362cuLuusfLzipMQ1jgFyg1fVBGegvTN6OQxUCgiFd
         kcbP7wCdCJMmymEhhj/NSK+CuZbkU7vAkTDlLmelqTiNo4Kzjv7BVj7D4BmTMGa705kq
         Q5ThNWim6eQeOJ8z4VIfmdH9mj0eTdteuvM/YuYzzp2mpH0J71URJ0w0qEoPfbecLtWQ
         xYaNSsp4nazSwrRZ84Oa03TI8d0KMxbxCgEFG9ySf2HwsQhaRdvIehwkAXHhwF1fMhMu
         rexcKWQ3IyR+kXCia9uB4qAXoJsRwYsusrI+UqPa/Bm48dZBI7ODi/BX4HeK/ELuAq7v
         te0A==
X-Gm-Message-State: AA+aEWaL6EdZ3DR9Ho03e3EMBDXjQSX3sh8heqrHMNrPFzPYfcdKTqOL
	a28aK3aosGUs5jFPIFVGpKjbi8cOBA==
X-Google-Smtp-Source: AFSGD/Ur6SNPkQrRJvm62MVNXi7zee2LXpgZsCqpLJSmwHHDKNE3gvf1u2AqXJ8PNSDh/hEAslpM9w==
X-Received: by 2002:a17:902:6ac3:: with SMTP id i3-v6mr3582396plt.153.1542743153259;
        Tue, 20 Nov 2018 11:45:53 -0800 (PST)
Received: from Stas-Pro-2016.lan (c-24-4-176-254.hsd1.ca.comcast.net. [24.4.176.254])
        by smtp.gmail.com with ESMTPSA id z9sm31792707pfd.99.2018.11.20.11.45.52
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 20 Nov 2018 11:45:52 -0800 (PST)
To: PHP Internals <internals@lists.php.net>,
 "release-managers@php.net" <release-managers@php.net>
Openpgp: preference=signencrypt
Autocrypt: addr=smalyshev@gmail.com; prefer-encrypt=mutual; keydata=
 xsJuBE9mqaARCACFSqcGmNunkjQQu3X+yXnTmFeEkvM4JXZTOBdR8aEevNGmmFEfyvjaDjWi
 9hcwp4E/lYtC+P7VsVjM1OSX9eq0jC/lGL0ZyRXek+mNy0n5H1NSuTpf9Y18LMqhc4G+RU+L
 cNiZ9K0DJuOOvNLPxW7OHZguxb3wdKPXNVa2jyRfJAKm2uaJJMT1mTmFT9a0Q8SKr+mUrrJk
 uG0H2o6SzrKt8Wwoint1eh67zVsJaJtQFchnEZnlawIcqP2yC4nLGR3MkubowxoEBYCZet18
 aHVVRbvpG2Qtob8Lu5xrsGbmXymTkHTdpvkfcJFADa8MzOL90zOxXwbGfbIZOlh5En8jAQCX
 lfnx2eQL3BSW/6XANa51dbWiEp1d1BAkpGKtZvlk0Qf+M9WAi+9aXMe3xP5krxtgnRNUf2WN
 6Zdy2MxL1RRJCFbytLhl0ronC49BsGYVGshdEH8xhBbiIOJKuVZ/DTl9bEm7P9c7CC7iJyVC
 khUAhouH6xzZQNLR+RU+QebYzXypVfl99Qk7EdMmr/WAZCHLuvanyqepC5EBsa3VnAfQemSN
 oBeGBKWWLiOsPjvS72+y1z4RUMAfXHn4l/sFMt8zt7/74AmJPwZquV41p4mPO12V4+xPyc6R
 sB84sfsk2QVivU8w8AkvGQeYjXoz7Iwao95+fWteVzZ36KRQvUckP8pGjHlDXnHxJ0HI1I/k
 OBZSjwRwUf0dd73y6erPhbLk+gf+NdI3H9KGJBzG5/rVyWKwUeQ9d5ud4jTJRkQGvAP5pg76
 vEa9dogbpe4W5Z+0BfbiJSnQmQWSHiZddj/t33ptbup44Ck6ZTgdlmFYMLF1hR47PIZTDKER
 EuKYGci/vq8snZvEJP9YCw/TtiHcMdrMKcY/+Lp8lQO0GHLPB9glVhnC0db6l1Xpg1CMI8/R
 ozBMcij30EgATggC/y2zbiqAFoS9FN9nXPbe4phStqABEyeZ+nXudt7PUYTjVgcrqo8bHZCi
 sBobWC7OnKyUzxVxzUeuPkIfmZuzkLaMw2McQdvwwsNvQ0DzaLP30c1Xsm/7EIYJcOWpzlVJ
 5QrdmE0/Bc0yU3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QGdtYWls
 LmNvbT7CegQTEQgAIgUCT2aqtAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lW
 vF2gS12XMwD9HuRIolSwIK77u8EY461y2u6sbX36n5/uo/LDQuxoi3sA/0MvpnvzOhv9Iufv
 vsZEj3E7i3h+iD5648YMwfTFCij+zsFNBE9mqaAQCADfZPMpjZkkGZj3BY/7ApoLq4mwqzbh
 +CpLXwNn20tFNvSXfb8RdeXvVEb7Scx+W9qYpiaun2iXJgCVH8fgpZpR856ulT1q6uCG++CX
 ubEvip/eJkZl93/84h04KQJwsgOrAh0Om3OePRn8Pr+++0LNS0EL8uX/YHeTOGOnnmTqYTey
 SBVFdov6L4mepddfjekicKQqhL7mZh/xuq29JijT0uNNX8v4vDWQDu5dlAcdd+uB3gcXMD/P
 ginD11zp+6wtrWCm/+yBqpvDwXQX5PGUnwvbRfl7Ay3MmwmoXiecZMg0dwTSc7e0lhB4HGRH
 ZdBMJB4rHUVGdzqujK/ctOvrAAMFB/0Utb76Qe6sCMlHxVAmeE/fbo7Pi05btZ/x01r67dHf
 aMSP0riCKJ7M0OW+jAXtu9+z/BVnYisW67WWfxl2cS5tZDgiHgJARXWUOO72+sScHP8KQmTl
 1z16gyKbwY3SmyBkwcpOL35nhUWNLy93syPoY6sZUTikr2bZYukHDQ33XBPs4e6MbWKfsa9q
 aVmnlOF3k5UqChjutfHaEa4Q7VP4wBIpphHBi9MI16oJIzzBPbGl2uoedjwiZ6QeQZnSuOVY
 ZxU2d3lRA8PrtfFN1VSlpEm/VcAvtieHUYWHN0wOu+cp3Slr5XJVNjTjJhl28SlinMME54mK
 AGf2Ldr/dRwXwmEEGBEIAAkFAk9mqaACGwwACgkQL3lWvF2gS126EQD/VVd3FgjLKglClRQP
 zdfU847tqDK4zJjbmRv5vLLwoE0A+wbrQs7jVGU3NrS0AIl5vUmewpp2BKzSkepy23nWmejw
Message-ID: <47dd2988-6fb2-0685-efa1-a58cb55e9ecb@gmail.com>
Date: Tue, 20 Nov 2018 11:45:51 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0)
 Gecko/20100101 Thunderbird/60.3.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: patch for imap bug 77153
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

I've checked in the patch for https://bugs.php.net/bug.php?id=77153,
which disables by default rsh/ssh login functionality in IMAP. I assume
most people neither know such functionality existed nor need it, but
still it's a BC break. The reason why I did it is because IMAP library
does not validate mailbox parameters it sends to the underlying shell
commands, which creates all kinds of unpleasant security scenarios (see
bug for details).

Strictly speaking, such bug is a problem in the library, not PHP
wrapper, since all parsing and mailbox string handling is done inside
the library and it completely opaque to PHP. However, c-client library
has been essentially unsupported for many years (why we're using an
ancient unsupported library is a separate issue which we'd probably want
to address but let's not get distracted) so no fix is probably coming
from that direction. And since imap extension is used by a bunch of
tools and most are not aware underlying library has this vulnerability,
I think disabling this function is a right thing to do. More details in
the bug and in the UPGRADING note.

I've merged patch now since the issue is public (essentially has been
for a while, and was first submitted as
https://bugs.php.net/bug.php?id=76428 but at the time I haven't realized
c-client is not going to be fixed, which is my fault - should have
checked the status of this library). Despite it not being a PHP issue
per se, I think we may still want a CVE for it.

For RMs, please incorporate it into the next release. Maybe not that
urgent for PHP 7.3.0RC6 since it's not a production release anyway.

Please comment if you see any troubles or have any questions about the fix.
-- 
Stas Malyshev
smalyshev@gmail.com