From 8b0085dd68a8e008c8a89ebd92516115d3859e71 Mon Sep 17 00:00:00 2001
From: Jared Hancock <jared@osticket.com>
Date: Thu, 26 Sep 2013 02:55:48 +0000
Subject: [PATCH] Disable Kerberos and NTLM auth for mail fetch

On some configurations of PHP and remote mail servers, Kerberos and NTLM
challenge response authentication could be possibly attempted. This is
essentially futile and potentially fatal for osTicket mail fetching, as the
system is currently designed for username and password authentication only.

This patch disables challenge and response authentication for PHP versions
5.3.2 and newer, which support the fix.

This patch also consistently encodes mailbox names according to the rfc 2060
for IMAP.
---
 include/class.mailfetch.php | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/include/class.mailfetch.php b/include/class.mailfetch.php
index 7fee6868a..d57204b89 100644
--- a/include/class.mailfetch.php
+++ b/include/class.mailfetch.php
@@ -28,7 +28,6 @@ class MailFetcher {
     var $srvstr;
 
     var $charset = 'UTF-8';
-    var $encodings =array('UTF-8','WINDOWS-1251', 'ISO-8859-5', 'ISO-8859-1','KOI8-R');
 
     function MailFetcher($email, $charset='UTF-8') {
 
@@ -108,7 +107,7 @@ class MailFetcher {
     }
 
     function getArchiveFolder() {
-        return $this->ht['archive_folder'];
+        return $this->mailbox_encode($this->ht['archive_folder']);
     }
 
     /* Core */
@@ -124,10 +123,19 @@ class MailFetcher {
     /* Default folder is inbox - TODO: provide user an option to fetch from diff folder/label */
     function open($box='INBOX') {
 
-        if($this->mbox)
+        if ($this->mbox)
            $this->close();
 
-        $this->mbox = imap_open($this->srvstr.$box, $this->getUsername(), $this->getPassword());
+        $args = array($this->srvstr.$this->mailbox_encode($box),
+            $this->getUsername(), $this->getPassword());
+
+        // Disable Kerberos and NTLM authentication if it happens to be
+        // supported locally or remotely
+        if (version_compare(PHP_VERSION, '5.3.2', '>='))
+            $args += array(NULL, 0, array(
+                'DISABLE_AUTHENTICATOR' => array('GSSAPI', 'NTLM')));
+
+        $this->mbox = call_user_func_array('imap_open', $args);
 
         return $this->mbox;
     }
@@ -158,7 +166,8 @@ class MailFetcher {
 
         if(!$folder) return false;
 
-        return imap_createmailbox($this->mbox, imap_utf7_encode($this->srvstr.trim($folder)));
+        return imap_createmailbox($this->mbox,
+           $this->srvstr.$this->mailbox_encode(trim($folder)));
     }
 
     /* check if a folder exists - create one if requested */
@@ -198,6 +207,18 @@ class MailFetcher {
         return Format::encode($text, $charset, $encoding);
     }
 
+    function mailbox_encode($mailbox) {
+        if (!$mailbox)
+            return null;
+        // Properly encode the mailbox to UTF-7, according to rfc2060,
+        // section 5.1.3
+        elseif (function_exists('mb_convert_encoding'))
+            return mb_convert_encoding($mailbox, 'UTF7-IMAP', 'utf-8');
+        else
+            // XXX: This function has some issues on some versions of PHP
+            return imap_utf7_encode($mailbox);
+    }
+
     //Generic decoder - resulting text is utf8 encoded -> mirrors imap_utf8
     function mime_decode($text, $encoding='utf-8') {
 
-- 
GitLab