From bba0b479d5578a04c5160a4c6ec98af90a1f421a Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jandd@cacert.org>
Date: Sat, 21 Sep 2024 10:27:54 +0200
Subject: [PATCH] Fix cats_import

- compare the client certificate email address directly instead of
  trying to match DN parts
- improve handling of IP addresses
---
 www/cats/cats_import.php | 24 +++++++++---------------
 1 file changed, 9 insertions(+), 15 deletions(-)

diff --git a/www/cats/cats_import.php b/www/cats/cats_import.php
index feb92d4..7e56ba0 100644
--- a/www/cats/cats_import.php
+++ b/www/cats/cats_import.php
@@ -1,6 +1,6 @@
 <? /*
     LibreSSL - CAcert web application
-    Copyright (C) 2004-2008  CAcert Inc.
+    Copyright (C) 2004-2024  CAcert Inc.
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -31,25 +31,19 @@ function sanitize_string($buffer) {
 }
 
 define ('UNDEFINED', 'nd');
-define ('ALLOWED_IP', '213.154.225.243');
-define ('ALLOWED_IP2', '172.16.2.27');
+
 define ('CONFIG_FILEPATH', '/www/');
 
+$expected_client_address = 'cats@cacert.org';
+$allowed_ip_addresses = ['213.154.225.243', '172.16.2.27'];
+
 $remote_addr = (isset($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:UNDEFINED;
 $server_name = (isset($_SERVER['SERVER_NAME']))?$_SERVER['SERVER_NAME']:UNDEFINED;
 $https = (isset($_SERVER['HTTPS']))?$_SERVER['HTTPS']:UNDEFINED;
-$ssl_client_s_dn = (isset($_SERVER['SSL_CLIENT_S_DN']))?$_SERVER['SSL_CLIENT_S_DN']:UNDEFINED;
-
-$access = FALSE;
-
-// Access only from CATS.cacert.org with a client certificate for cats@cacert.org
-if (
- ($remote_addr == ALLOWED_IP || $remote_addr == ALLOWED_IP2)  &&
- $https == 'on' && 
- // Comment (to be romeved): better to use preg_match matching the end of the line (since this is on the end of the line right?)
- // Ted: Is this specified? I don't think so, therefore I'd keep stristr
- strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
-) $access = TRUE;
+$ssl_client_email = (isset($_SERVER['SSL_CLIENT_S_DN_Email']))?$_SERVER['SSL_CLIENT_S_DN_Email']:UNDEFINED;
+
+// Access only from cats.cacert.org with a client certificate for cats@cacert.org
+$access = in_array($remote_addr, $allowed_ip_addresses) && ($https == 'on') && ($ssl_client_email == $expected_client_address);
 
 if ($access !== TRUE) {
  echo 'UNAUTHORIZED ACCESS<br>'."\r\n";