1--TEST-- 2Bug #77153 (imap_open allows to run arbitrary shell commands via mailbox parameter) 3--SKIPIF-- 4<?php 5extension_loaded('imap') or die('skip imap extension not available in this build'); 6?> 7--CONFLICTS-- 8defaultmailbox 9--FILE-- 10<?php 11$payload = "echo 'BUG'> " . __DIR__ . '/__bug'; 12$payloadb64 = base64_encode($payload); 13$server = "x -oProxyCommand=echo\t$payloadb64|base64\t-d|sh}"; 14@imap_open('{'.$server.':143/imap}INBOX', '', ''); 15// clean 16imap_errors(); 17var_dump(file_exists(__DIR__ . '/__bug')); 18?> 19--EXPECT-- 20bool(false) 21--CLEAN-- 22<?php 23if(file_exists(__DIR__ . '/__bug')) unlink(__DIR__ . '/__bug'); 24?> 25
