5.3.0 - Security patch

[Webklex]

Impacted are all versions below v5.3.0. If possible, update to >= v5.3.0 as soon as possible. Impacted was the Attachment::save method which could be used to write files to the local filesystem. The path was not properly sanitized and could be used to write files to arbitrary locations.

However, the Attachment::save method is not used by default and has to be called manually. If you are using this method without providing a sanitized path, you are affected by this vulnerability. If you are not using this method or are providing a sanitized path, you are not affected by this vulnerability and no immediate action is required.

Timeline

• 17.06.23 21:30: Vulnerability reported
• 18.06.23 19:14: Vulnerability confirmed
• 19.06.23 18:41: Vulnerability fixed via PR #414
• 20.06.23 13:45: Security patch released
• 21.06.23 20:48: CVE-2023-35169 got assigned
• 21.06.23 20:58: Advisory released https://github.com/Webklex/php-imap/security/advisories/GHSA-47p7-xfcc-4pv9

If you have any questions or comments, please leave them below.

Thank you all and thank you @angelej for your fantastic help :)

[Webklex]

Additionally, never trust user input and always sanitize it before using it. For example:

// Do not do this
file_put_contents($attachment->name, $attachment->content);

// Do this instead
file_put_contents(sanitize($attachment->name), $attachment->content);

Sanitization can be done in many ways. For example, you can use the basename function to remove all path information from the filename. However, this is not a complete sanitization, and you should always use a proper sanitization method for your use case.