Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103465 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 20100 invoked from network); 21 Nov 2018 02:19:42 -0000 Received: from unknown (HELO mout.gmx.net) (212.227.15.18) by pb1.pair.com with SMTP; 21 Nov 2018 02:19:42 -0000 Received: from [192.168.2.105] ([79.222.39.127]) by mail.gmx.com (mrgmx001 [212.227.17.190]) with ESMTPSA (Nemesis) id 0Ld0fQ-1fh8S418pk-00iEJQ; Tue, 20 Nov 2018 23:41:40 +0100 To: Stanislav Malyshev , PHP Internals , "release-managers@php.net" References: <47dd2988-6fb2-0685-efa1-a58cb55e9ecb@gmail.com> Message-ID: <563360e1-aa2f-6a2f-7299-caf9b85f2fff@gmx.de> Date: Tue, 20 Nov 2018 23:41:43 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.1 MIME-Version: 1.0 In-Reply-To: <47dd2988-6fb2-0685-efa1-a58cb55e9ecb@gmail.com> Content-Type: text/plain; charset=utf-8 Content-Language: de-DE Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K1:awzv1448D10PRDgnzbttFGL0VQ/UcybThmkFK/HD8SHptY4kxw4 4073QlIj6MKiiGj9BWowSIKclO0P2UKcg2XRxy9VDiTkhkBWULQ+1kKZaV9Xzv8VziDUp/i btPTY7O2SbX5sJWsBF587dg1nOHrnjvqRS+088E1N9zhOIXZroLz1TdP49vrw75tErP7k9s G8NNP2NouI97i+wB+FIJg== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:MV6kTyoOpEs=:mtEuqXr3ONKaWbBJ7ceZjW AyEbPPHyLRncJYR4+9nFm/WeK1ZlhGpnPmGPkp3kWweYHjVwQpHafxvwi09KRYA7sIfnSSlIj ZNtLs2tsrgUitkEILhNjPQ0ZELynwNFtVTuzzRGbf+x6Vqe2qXSAeZFQnVBEjVjJD44gsnBOQ pRPqHMBWRCDqV+i73hPv0GkOPyet6nIxbF5yarsli9F7F6nb1Su5QnwweW9fqCDdxoi8QkOiH ju3D1iUsBKXK1Ra0l3UQ9Slz41KhA+DdOP9Glc8ZAvBfmSvUmrIB3ClylMlN8V6CJXgS3jO7q ddmapJ2kD1rLvVTS3L3liexSYemuP2OqvE9g+ikr/sLw+cvcmO4NKwmIAJyku/rZ1UmcPsMDs LwucLRhGWqmw+ZbAy5PuAUjuYaYcH8ZNUZdvqbKIM508KJG81uoLIv3WNV8fSlZ1XLuLAoRIU avFn22B2aL7uNd2BAs3zPyrYUYpG2+uvtcvCeOp2Jxg0/07Akz09siVlv/CvHwq4NNMOtz3iH 6pIIEukmSNuYQll8db8stxtFmqgL7/o6yMvoSpeeOBvZeS5ptJbSyB2zfxMXYZAMaifS3Y7U+ pb0ap4uzDLxDWkLDE8ckatZqneV6DJjeac4q93rXoC/QvHbxOROTOl+tx/pw/s80UMTk4odOn kgVk3T4nExRfqqsN3XB56dQNajmAJEk1mgn0U60YJdhY3ZzUmJVwmS1ZjoREuBtnIHBmZjamu FMo2doC8YkyJ1Ng5JBX9GNGJKjMKxIJueVs7BYXJK4sxLIFwiCgGoaIQq1fobEV8cPqQ3kRbu vXcnBa9XmrbhIsfEZI+i4F/IELKz2pcYW7waWB2Tkw6DhCmLModeOk34tpRtizKoRjBDMZ2r0 QH+OJ7CFIpOKJo+UgwUEkkKNfmwEEf12tF/iZ2VLYyVQn5wRWstAlCzDILwXBi Subject: Re: patch for imap bug 77153 From: cmbecker69@gmx.de ("Christoph M. Becker") On 20.11.2018 at 20:45, Stanislav Malyshev wrote: > Strictly speaking, such bug is a problem in the library, not PHP > wrapper, since all parsing and mailbox string handling is done inside > the library and it completely opaque to PHP. However, c-client library > has been essentially unsupported for many years (why we're using an > ancient unsupported library is a separate issue which we'd probably want > to address but let's not get distracted) so no fix is probably coming > from that direction. And since imap extension is used by a bunch of > tools and most are not aware underlying library has this vulnerability, > I think disabling this function is a right thing to do. More details in > the bug and in the UPGRADING note. I fully agree with the fix (thanks!), and also that it is a security issue. However, I don't think it's really a problem in c-client; actually the PHP wrapper should not have allowed to pass the mailbox name verbatim, which would only be reasonable in my opinion, if we were supporting arbitrary drivers (which we don't). And of course, userland clients should not pass unvalidated input as mailbox name, but as you said, quite likely at least some developers are not aware that potentially arbitrary shell commands could be executed this way, and our docs don't explicitly mention this issue. > For RMs, please incorporate it into the next release. Maybe not that > urgent for PHP 7.3.0RC6 since it's not a production release anyway. PHP-7.3.0 has already been branched, and PHP-7.2.13RC1 and PHP-7.3.0RC6 have already been tagged without the patch. We probably should re-tag. -- Christoph M. Becker