From de3cf38c5da0701ed63e75018e4bd9af5672d322 Mon Sep 17 00:00:00 2001 From: Jan Dittberner Date: Sun, 20 Jun 2021 19:21:04 +0200 Subject: [PATCH] Implement warning thresholds for OpenPGP This patch fixes https://bugs.cacert.org/view.php?id=1530 by adding the same warning threshold behaviour for OpenPGP signing requests that exists for X.509 signing requests. The warning threshold has been moved to a variable. The SQL statements are created using an sprintf statement to avoid potential SQL injections that may get introduced by setting the warning_threshold variable to an invalid valid. Fixes #1530 --- CommModule/client.pl | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/CommModule/client.pl b/CommModule/client.pl index 0874477..56c0a51 100755 --- a/CommModule/client.pl +++ b/CommModule/client.pl @@ -40,6 +40,9 @@ my $paranoid=1; my $debug=0; +# number of attempts before giving up +my $warn_threshold = 3; + #my $serialport="/dev/ttyS0"; my $serialport="/dev/ttyUSB0"; @@ -734,7 +737,9 @@ sub HandleCerts($$) SysLog "HandleCerts $table\n"; - my $sth = $dbh->prepare("select * from $table where crt_name='' and csr_name!='' and warning<3"); + my $sth = $dbh->prepare(sprintf( + "select * from %s where crt_name='' and csr_name!='' and warning<%d", $table, $warn_threshold + )); $sth->execute(); #$rowdata; while ( my $rowdata = $sth->fetchrow_hashref() ) @@ -904,7 +909,7 @@ sub HandleCerts($$) else { SysLog("Could not find the issued certificate. $crtname ".$row{"id"}."\n"); - $dbh->do("update `$table` set warning=warning+1 where `id`='".$row{'id'}."'"); + $dbh->do(sprintf("update %s set warning=warning+1 where id=%d", $table, $row{'id'})); } } } @@ -1078,7 +1083,9 @@ sub sendRevokeMail() sub HandleGPG() { - my $sth = $dbh->prepare("select * from gpg where crt='' and csr!='' "); + my $sth = $dbh->prepare(sprintf( + "select * from gpg where crt='' and csr!='' and warning<%d", $warn_threshold + )); $sth->execute(); my $rowdata; while ( $rowdata = $sth->fetchrow_hashref() ) @@ -1144,7 +1151,7 @@ sub HandleGPG() sendmail($user{email}, "[CAcert.org] Your GPG/PGP Key", $body, "support\@cacert.org", "", "", "CAcert Support"); } else { SysLog("Could not find the issued gpg key. ".$row{"id"}."\n"); - #$dbh->do("delete from `gpg` where `id`='".$row{'id'}."'"); + $dbh->do(sprintf("update gpg set warning=warning+1 where id=%d", $row{'id'})); } } }