Hi! I've checked in the patch for https://bugs.php.net/bug.php?id=77153, which disables by default rsh/ssh login functionality in IMAP. I assume most people neither know such functionality existed nor need it, but still it's a BC break. The reason why I did it is because IMAP library does not validate mailbox parameters it sends to the underlying shell commands, which creates all kinds of unpleasant security scenarios (see bug for details).
Strictly speaking, such bug is a problem in the library, not PHP wrapper, since all parsing and mailbox string handling is done inside the library and it completely opaque to PHP. However, c-client library has been essentially unsupported for many years (why we're using an ancient unsupported library is a separate issue which we'd probably want to address but let's not get distracted) so no fix is probably coming from that direction. And since imap extension is used by a bunch of tools and most are not aware underlying library has this vulnerability, I think disabling this function is a right thing to do. More details in the bug and in the UPGRADING note. I've merged patch now since the issue is public (essentially has been for a while, and was first submitted as https://bugs.php.net/bug.php?id=76428 but at the time I haven't realized c-client is not going to be fixed, which is my fault - should have checked the status of this library). Despite it not being a PHP issue per se, I think we may still want a CVE for it. For RMs, please incorporate it into the next release. Maybe not that urgent for PHP 7.3.0RC6 since it's not a production release anyway. Please comment if you see any troubles or have any questions about the fix. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php