Fix for https://bugs.cacert.org/view.php?id=1199

"arbitrary code injection" and for https://bugs.cacert.org/view.php?id=1200 "uses configuration files from world-writable directory"
11 years ago · 715d1d7184
parent b8f46d9c41
commit 715d1d7184
1 changed files with 29 additions and 10 deletions
--- a/www/gpg.php
+++ b/www/gpg.php
@ -17,6 +17,7 @@
 */ ?>
 <?
 	require_once("../includes/loggedin.php");
+	require_once("../includes/lib/general.php");

        $id = 0; if(array_key_exists('id',$_REQUEST)) $id=intval($_REQUEST['id']);
 	$oldid = $_REQUEST['oldid'] = array_key_exists('oldid',$_REQUEST) ? intval($_REQUEST['oldid']) : 0;
@ -82,17 +83,36 @@ function verifyEmail($email)
 	$state=0;
 	if($oldid == "0" && $CSR != "")
 	{
-		$debugkey = $gpgkey = clean_gpgcsr($CSR);
+		$err = runCommand('mktemp --directory /tmp/cacert_gpg.XXXXXXXXXX',
+				"",
+				$tmpdir);
+		if (!$tmpdir)
+		{
+			$err = true;
+		}

-		$tnam = tempnam('/tmp/', '__gpg');
-		$fp = fopen($tnam, 'w');
-		fwrite($fp, $gpgkey);
-		fclose($fp);
-		$debugpg = $gpg = trim(`gpg --with-colons --homedir /tmp 2>&1 < $tnam`);
-		unlink($tnam);
+		if (!$err)
+		{
+			$err = runCommand("gpg --with-colons --homedir $tmpdir 2>&1",
+					clean_gpgcsr($CSR),
+					$gpg);
+
+			`rm -r $tmpdir`;
+		}
+
+		if ($err)
+		{
+			showheader(_("Welcome to CAcert.org"));
+
+			echo "<p style='color:#ff0000'>"._("There was an error parsing your key.")."</p>";
+			unset($_REQUEST['process']);
+			$id = $oldid;
+			unset($oldid);
+			exit();
+		}

 		$lines = "";
-		$gpgarr = explode("\n", $gpg);
+		$gpgarr = explode("\n", trim($gpg));
 		foreach($gpgarr as $line)
 		{
 			#echo "Line[]: $line <br/>\n";
@ -260,7 +280,6 @@ function verifyEmail($email)
 			unset($_REQUEST['process']);
 			$id = $oldid;
 			unset($oldid);
-			$do = `echo "$debugkey\n--\n$debugpg\n--" >> /www/tmp/gpg.debug`;
 			exit();
 		}
 		elseif($nerr)
@ -303,7 +322,7 @@ function verifyEmail($email)
 		system("gpg --homedir $cwd --import $cwd/gpg.csr");


-		$debugpg = $gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $keyid 2>&1`);
+		$gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $keyid 2>&1`);
 		$lines = "";
 		$gpgarr = explode("\n", $gpg);
 		foreach($gpgarr as $line)