1--TEST-- 2Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter) 3--SKIPIF-- 4<?php 5 if (!extension_loaded("imap")) { 6 die("skip imap extension not available"); 7 } 8?> 9--FILE-- 10<?php 11$payload = "echo 'BUG'> " . __DIR__ . '/__bug'; 12$payloadb64 = base64_encode($payload); 13$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}"; 14@imap_open('{'.$server.':143/imap}INBOX', '', ''); 15// clean 16imap_errors(); 17var_dump(file_exists(__DIR__ . '/__bug')); 18?> 19--EXPECT-- 20bool(false) 21--CLEAN-- 22<?php 23if(file_exists(__DIR__ . '/__bug')) unlink(__DIR__ . '/__bug'); 24?>
