IMAP and RSH/SSH Connections

PHP’s imap extension relies on an outdated and unmaintained library. Code that still uses functions such as imap_open() that are provided by this extension should be migrated to libraries implemented in PHP that provide functionality related to IMAP, NNTP, POP3, or local mailboxes.

Back in 2018 it was discovered that the library used by the imap extension can execute shell commands via RSH or SSH. Of course, nobody should do this. But then again, nobody should pass unsafe string from the HTTP request to a function such as imap_open().

If your code, for some obscure reason, relies on the fact that imap_open() can be used to execute shell commands then you need to configure imap.enable_insecure_rsh=1 as of PHP 7.3. By default, RSH/SSH logins are now disabled and executing shell commands using imap_open() will no longer work.

It should go without saying that configuring imap.enable_insecure_rsh=1 must only be a short-term solution. In the long run, you need to update your code to not rely on the imap extension anymore.

openssl_random_pseudo_bytes() Throws Exceptions

Random data is one of the most important prerequisites for cryptographic security. With the openssl extension installed, you can use the function openssl_random_pseudo_bytes() to generate a random sequence of bytes.

As of PHP 7.4, this function will throw an Error exception when you ask for zero (or a negative number of) bytes:

PHP Fatal error:  Uncaught Error: Length must be greater than 0 in ... 

While using a fallback makes a lot of sense in many cases, using a cryptographically insecure source of randomness as fallback when -for whatever reason- no suitable source of randomness is available is a very, very bad idea from a security point of view.

Thus, openssl_random_pseudo_bytes() will now throw an exception in that case, which is more obvious than setting a boolean flag that has been passed by reference as the second argument.

If you start seeing those errors or exceptions after upgrading to PHP 7, chances are that you have a problem with data confidentiality and/or weak encryption. Do not take this lightly, but make sure to fully investigate and properly fix the problem!