From 1112d76dd5be6529ff50aea1e675dcbcf3eb9aa3 Mon Sep 17 00:00:00 2001
From: Mendel Mobach <mendel@cacert.org>
Date: Sat, 19 Apr 2014 07:32:11 +0000
Subject: [PATCH] fix for https://bugs.cacert.org/view.php?id=1272 "Arbitrary
 Code Execution via SQL injection on certain database fields"

---
 includes/account.php         | 37 ++++++++++++++++++++++--------------
 scripts/cron/warning.php     |  3 ++-
 scripts/scanforexponents.php |  5 +++--
 www/api/ccsr.php             |  4 +++-
 4 files changed, 31 insertions(+), 18 deletions(-)

diff --git a/includes/account.php b/includes/account.php
index 09c123b..7e9ee2a 100644
--- a/includes/account.php
+++ b/includes/account.php
@@ -395,7 +395,8 @@ function buildSubjectFromSession() {
 			fputs($fp, $emails);
 			fclose($fp);
 			$challenge=$_SESSION['spkac_hash'];
-			$res=`openssl spkac -verify -in $CSRname`;
+			$CSRname_esc = escapeshellarg($CSRname);
+			$res=`openssl spkac -verify -in $CSRname_esc`;
 			if(!strstr($res,"Challenge String: ".$challenge))
 			{
 				$id = $oldid;
@@ -457,7 +458,9 @@ function buildSubjectFromSession() {
 				$csrsubject .= "/emailAddress = ".$user['uniqueID'];
 
 			$tmpname = tempnam("/tmp", "id4csr");
-			$do = `/usr/bin/openssl req -in $tmpfname -out $tmpname`; // -subj "$csr"`;
+			$tmpfname_esc = escapeshellarg($tmpfname);
+			$tmpname_esc = escapeshellarg($tmpname);
+			$do = `/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc`; // -subj "$csr"`;
 			@unlink($tmpfname);
 			$csr = "";
 			$fp = fopen($tmpname, "r");
@@ -733,9 +736,9 @@ function buildSubjectFromSession() {
 		$fp = fopen($_SESSION['_config']['tmpfname'], "w");
 		fputs($fp, $CSR);
 		fclose($fp);
-		$CSR = $_SESSION['_config']['tmpfname'];
-		$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep "Subject:"`);
-		$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
+		$CSR = escapeshellarg($_SESSION['_config']['tmpfname']);
+		$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep "Subject:"`);
+		$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
 		foreach($bits as $val)
 		{
 			$_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@@ -900,8 +903,9 @@ function buildSubjectFromSession() {
 				$newid = mysql_insert_id();
 				$newfile=generatecertpath("csr","server",$newid);
 				copy($row['csr_name'], $newfile);
-				$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$newfile"|tr -d "\\0"|grep "Subject:"`);
-				$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$newfile"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
+				$newfile_esc = escapeshellarg($newfile);
+				$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d "\\0"|grep "Subject:"`);
+				$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
 				foreach($bits as $val)
 				{
 					$_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@@ -930,7 +934,8 @@ function buildSubjectFromSession() {
 					printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 				} else {
 					$drow = mysql_fetch_assoc($res);
-					$cert = `/usr/bin/openssl x509 -in $drow[crt_name]`;
+					$crt_name = escapeshellarg($drow['crt_name']);
+					$cert = `/usr/bin/openssl x509 -in $crt_name`;
 					echo "<pre>\n$cert\n</pre>\n";
 				}
 			}
@@ -1552,7 +1557,8 @@ function buildSubjectFromSession() {
 			fputs($fp, $emails);
 			fclose($fp);
 			$challenge=$_SESSION['spkac_hash'];
-			$res=`openssl spkac -verify -in $CSRname`;
+			$CSRname_esc = escapeshellarg($CSRname);
+			$res=`openssl spkac -verify -in $CSRname_esc`;
 			if(!strstr($res,"Challenge String: ".$challenge))
 			{
 				$id = $oldid;
@@ -1604,7 +1610,9 @@ function buildSubjectFromSession() {
 				$csrsubject .= "/countryName=".$org['C'];
 
 			$tmpname = tempnam("/tmp", "id17csr");
-			$do = `/usr/bin/openssl req -in $tmpfname -out $tmpname`;
+			$tmpfname_esc = escapeshellarg($tmpfname);
+			$tmpname_esc = escapeshellarg($tmpname);
+			$do = `/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc`;
 			@unlink($tmpfname);
 			$csr = "";
 			$fp = fopen($tmpname, "r");
@@ -1860,9 +1868,9 @@ function buildSubjectFromSession() {
 		$fp = fopen($_SESSION['_config']['tmpfname'], "w");
 		fputs($fp, $CSR);
 		fclose($fp);
-		$CSR = $_SESSION['_config']['tmpfname'];
-		$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep "Subject:"`);
-		$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
+		$CSR = escapeshellarg($_SESSION['_config']['tmpfname']);
+		$_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep "Subject:"`);
+		$bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
 		foreach($bits as $val)
 		{
 			$_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@@ -2080,7 +2088,8 @@ function buildSubjectFromSession() {
 					printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
 				} else {
 					$drow = mysql_fetch_assoc($res);
-					$cert = `/usr/bin/openssl x509 -in $drow[crt_name]`;
+					$crtname = escapeshellarg($drow['crt_name']);
+					$cert = `/usr/bin/openssl x509 -in $crtname`;
 					echo "<pre>\n$cert\n</pre>\n";
 				}
 			}
diff --git a/scripts/cron/warning.php b/scripts/cron/warning.php
index 0c97ba2..8f607cd 100755
--- a/scripts/cron/warning.php
+++ b/scripts/cron/warning.php
@@ -38,7 +38,8 @@
 			{
 				$row['crt_name'] = str_replace("../", "www/", $row['crt_name']);
 				$row['crt_name'] = "/home/cacert/".$row['crt_name'];
-				$subject = `openssl x509 -in '$row[crt_name]' -text -noout|grep Subject:`;
+				$crt_name = escapeshellarg($row['crt_name']);
+				$subject = `openssl x509 -in $crt_name -text -noout|grep Subject:`;
 				$bits = explode("/", $subject);
 				foreach($bits as $val)
 				{
diff --git a/scripts/scanforexponents.php b/scripts/scanforexponents.php
index 7136723..388fe1e 100755
--- a/scripts/scanforexponents.php
+++ b/scripts/scanforexponents.php
@@ -29,10 +29,11 @@
 		if(!is_file($file))
 			continue;
 
+		$file_esc = escapeshellarg($file);
 		if(substr($file, -3) == "der")
-			$do = trim(`openssl x509 -inform der -in $file -text -noout 2>&1 |grep 'Exponent'`);
+			$do = trim(`openssl x509 -inform der -in $file_esc -text -noout 2>&1 |grep 'Exponent'`);
 		else
-			$do = trim(`openssl x509 -in $file -text -noout 2>&1 |grep 'Exponent'`);
+			$do = trim(`openssl x509 -in $file_esc -text -noout 2>&1 |grep 'Exponent'`);
 
 		if($do == "")
 			continue;
diff --git a/www/api/ccsr.php b/www/api/ccsr.php
index 7efdf8d..403882f 100644
--- a/www/api/ccsr.php
+++ b/www/api/ccsr.php
@@ -73,7 +73,9 @@ require_once '../../includes/lib/check_weak_key.php';
 	$fp = fopen($incsr, "w");
 	fputs($fp, $CSR);
 	fclose($fp);
-	$do = `/usr/bin/openssl req -in $incsr -out $checkedcsr`;
+	$incsr_esc = escapeshellarg($incsr);
+	$checkedcsr_esc = escapeshellarg($checkedcsr);
+	$do = `/usr/bin/openssl req -in $incsr_esc -out $checkedcsr_esc`;
 	@unlink($incsr);
 	if(filesize($checkedcsr) <= 0)
 		die("404,Invalid or missing CSR");