"arbitrary code injection" and for https://bugs.cacert.org/view.php?id=1200 "uses configuration files from world-writable directory"
This commit is contained in:
Wytze van der Raay
parent
b8f46d9c41
commit
715d1d7184
1 changed files with 29 additions and 10 deletions
39
www/gpg.php
39
www/gpg.php
|
|
@ -17,6 +17,7 @@
|
|||
*/ ?>
|
||||
<?
|
||||
require_once("../includes/loggedin.php");
|
||||
require_once("../includes/lib/general.php");
|
||||
|
||||
$id = 0; if(array_key_exists('id',$_REQUEST)) $id=intval($_REQUEST['id']);
|
||||
$oldid = $_REQUEST['oldid'] = array_key_exists('oldid',$_REQUEST) ? intval($_REQUEST['oldid']) : 0;
|
||||
|
|
@ -82,17 +83,36 @@ function verifyEmail($email)
|
|||
$state=0;
|
||||
if($oldid == "0" && $CSR != "")
|
||||
{
|
||||
$debugkey = $gpgkey = clean_gpgcsr($CSR);
|
||||
$err = runCommand('mktemp --directory /tmp/cacert_gpg.XXXXXXXXXX',
|
||||
"",
|
||||
$tmpdir);
|
||||
if (!$tmpdir)
|
||||
{
|
||||
$err = true;
|
||||
}
|
||||
|
||||
$tnam = tempnam('/tmp/', '__gpg');
|
||||
$fp = fopen($tnam, 'w');
|
||||
fwrite($fp, $gpgkey);
|
||||
fclose($fp);
|
||||
$debugpg = $gpg = trim(`gpg --with-colons --homedir /tmp 2>&1 < $tnam`);
|
||||
unlink($tnam);
|
||||
if (!$err)
|
||||
{
|
||||
$err = runCommand("gpg --with-colons --homedir $tmpdir 2>&1",
|
||||
clean_gpgcsr($CSR),
|
||||
$gpg);
|
||||
|
||||
`rm -r $tmpdir`;
|
||||
}
|
||||
|
||||
if ($err)
|
||||
{
|
||||
showheader(_("Welcome to CAcert.org"));
|
||||
|
||||
echo "<p style='color:#ff0000'>"._("There was an error parsing your key.")."</p>";
|
||||
unset($_REQUEST['process']);
|
||||
$id = $oldid;
|
||||
unset($oldid);
|
||||
exit();
|
||||
}
|
||||
|
||||
$lines = "";
|
||||
$gpgarr = explode("\n", $gpg);
|
||||
$gpgarr = explode("\n", trim($gpg));
|
||||
foreach($gpgarr as $line)
|
||||
{
|
||||
#echo "Line[]: $line <br/>\n";
|
||||
|
|
@ -260,7 +280,6 @@ function verifyEmail($email)
|
|||
unset($_REQUEST['process']);
|
||||
$id = $oldid;
|
||||
unset($oldid);
|
||||
$do = `echo "$debugkey\n--\n$debugpg\n--" >> /www/tmp/gpg.debug`;
|
||||
exit();
|
||||
}
|
||||
elseif($nerr)
|
||||
|
|
@ -303,7 +322,7 @@ function verifyEmail($email)
|
|||
system("gpg --homedir $cwd --import $cwd/gpg.csr");
|
||||
|
||||
|
||||
$debugpg = $gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $keyid 2>&1`);
|
||||
$gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $keyid 2>&1`);
|
||||
$lines = "";
|
||||
$gpgarr = explode("\n", $gpg);
|
||||
foreach($gpgarr as $line)
|
||||
|
|
|
|||
Loading…
Reference in a new issue