File: SECURITY.md

Recommend this page to a friend!

SECURITY.md

File:	`SECURITY.md`
Role:	Auxiliary data
Content type:	`text/markdown`
Description:	Auxiliary data
Class:	PHP Ymap Retrieve email messages from an IMAP server
Author:	By Engin Ypsilon
Last change:	• Release v1.0.3: Socket mode stabilized, docs updated for PHP 8.4 transition Major improvements: - Stable default socket connector without ext-imap dependency - Fixed multipart body extraction (textBody/htmlBody empty regression) - Fixed seen/answered flag persistence in fetch/demo workflows - Updated benchmarks with ext-imap vs socket-mode comparison - Updated README, SECURITY, CHANGELOG, and release notes for v1.0.3 All changes are backward-compatible. 🤖 Generated with [Codex] Co-Authored-By: Codex <codex@openai.com>
Date:	29 days ago
Size:	`3,807 bytes`

Download

Security Policy

Supported Versions

| Version | Supported | | ------- | ------------------ | | 1.0.x | :white_check_mark: | | < 1.0 | :x: |

Reporting a Vulnerability

If you discover a security vulnerability in php-ymap, please report it privately:

DO NOT open a public GitHub issue for security vulnerabilities.

How to Report

Email: Send details to the maintainers via GitHub (use the "Report a security vulnerability" feature in the Security tab)
Include: - Description of the vulnerability - Steps to reproduce - Potential impact - Suggested fix (if available)

What to Expect

Acknowledgment: Within 48 hours
Initial assessment: Within 1 week
Fix timeline: Depends on severity and complexity
Credit: You will be credited in the security advisory (unless you prefer to remain anonymous)

Security Best Practices for Users

Credential Management

DO: - Store IMAP credentials in environment variables - Use secure vaults (AWS Secrets Manager, HashiCorp Vault, etc.) - Rotate credentials regularly - Use application-specific passwords when available

DON'T: - Hardcode credentials in source code - Commit credentials to version control - Log credentials in plain text - Share credentials across multiple applications

TLS/SSL Configuration

php-ymap supports both the socket connector (default) and the optional native IMAP extension connector. In both cases, enforce TLS:

$config = new ConnectionConfig(
    '{imap.example.com:993/imap/ssl}INBOX',
    getenv('IMAP_USER'),
    getenv('IMAP_PASS')
);

Flags for secure connections: - /imap/ssl - Use SSL/TLS encryption - /imap/ssl/novalidate-cert - Avoid in production (disables certificate verification)

Input Validation

When using php-ymap in web applications:

Sanitize user inputs before using in IMAP searches
Validate email addresses before using in filters
Limit result sets to prevent resource exhaustion
Implement rate limiting on IMAP operations

Attachment Handling

When processing attachments:

// Sanitize filenames before saving to disk
$filename = basename($attachment->getFilename());
$filename = preg_replace('/[^a-zA-Z0-9._-]/', '_', $filename);

// Validate file types
$allowedTypes = ['image/jpeg', 'image/png', 'application/pdf'];
if (!in_array($attachment->getContentType(), $allowedTypes)) {
    // Reject or handle appropriately
}

// Limit file sizes
if ($attachment->getSize() > 10 1024 1024) { // 10MB
    // Reject large attachments
}

Resource Limits

Prevent memory exhaustion:

// Limit number of messages fetched
$messages = $service
    ->inbox()
    ->limit(100)  // Don't fetch unbounded result sets
    ->fetch();

// Use field selection to reduce memory usage
$messages = $service
    ->inbox()
    ->fields(['uid', 'subject', 'from', 'date'])  // Omit large bodies
    ->fetch();

Known Security Considerations

Connector Choice: Socket mode is the default runtime path. If you enable `ext-imap`, keep PHP and extension packages updated.
Memory Usage: Large attachments can exhaust memory if fully materialized. Prefer metadata-only fetches and streaming for large files.
Connection Security: Always use SSL/TLS for IMAP connections when connecting over untrusted networks.