cacert/cacert-webdb
9
0
Fork 0
Code Issues Pull requests 3 Projects Releases 4 Wiki Activity

Fix for https://bugs.cacert.org/view.php?id=1199

Browse source 
"arbitrary code injection"
and for https://bugs.cacert.org/view.php?id=1200
"uses configuration files from world-writable directory"
This commit is contained in:
Wytze van der Raay 2013-08-29 10:08:59 +00:00
parent b8f46d9c41
commit 715d1d7184
1 changed files with 29 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
www/gpg.php
View file

@ -17,6 +17,7 @@
*/ ?> */ ?>
<? <?
require_once("../includes/loggedin.php"); require_once("../includes/loggedin.php");
require_once("../includes/lib/general.php");
$id = 0; if(array_key_exists('id',$_REQUEST)) $id=intval($_REQUEST['id']); $id = 0; if(array_key_exists('id',$_REQUEST)) $id=intval($_REQUEST['id']);
$oldid = $_REQUEST['oldid'] = array_key_exists('oldid',$_REQUEST) ? intval($_REQUEST['oldid']) : 0; $oldid = $_REQUEST['oldid'] = array_key_exists('oldid',$_REQUEST) ? intval($_REQUEST['oldid']) : 0;
@ -82,17 +83,36 @@ function verifyEmail($email)
$state=0; $state=0;
if($oldid == "0" && $CSR != "") if($oldid == "0" && $CSR != "")
{ {
$debugkey = $gpgkey = clean_gpgcsr($CSR); $err = runCommand('mktemp --directory /tmp/cacert_gpg.XXXXXXXXXX',
"",
$tmpdir);
if (!$tmpdir)
{
$err = true;
}
$tnam = tempnam('/tmp/', '__gpg'); if (!$err)
$fp = fopen($tnam, 'w'); {
fwrite($fp, $gpgkey); $err = runCommand("gpg --with-colons --homedir $tmpdir 2>&1",
fclose($fp); clean_gpgcsr($CSR),
$debugpg = $gpg = trim(`gpg --with-colons --homedir /tmp 2>&1 < $tnam`); $gpg);
unlink($tnam);
`rm -r $tmpdir`;
}
if ($err)
{
showheader(_("Welcome to CAcert.org"));
echo "<p style='color:#ff0000'>"._("There was an error parsing your key.")."</p>";
unset($_REQUEST['process']);
$id = $oldid;
unset($oldid);
exit();
}
$lines = ""; $lines = "";
$gpgarr = explode("\n", $gpg); $gpgarr = explode("\n", trim($gpg));
foreach($gpgarr as $line) foreach($gpgarr as $line)
{ {
#echo "Line[]: $line <br/>\n"; #echo "Line[]: $line <br/>\n";
@ -260,7 +280,6 @@ function verifyEmail($email)
unset($_REQUEST['process']); unset($_REQUEST['process']);
$id = $oldid; $id = $oldid;
unset($oldid); unset($oldid);
$do = `echo "$debugkey\n--\n$debugpg\n--" >> /www/tmp/gpg.debug`;
exit(); exit();
} }
elseif($nerr) elseif($nerr)
@ -303,7 +322,7 @@ function verifyEmail($email)
system("gpg --homedir $cwd --import $cwd/gpg.csr"); system("gpg --homedir $cwd --import $cwd/gpg.csr");
$debugpg = $gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $keyid 2>&1`); $gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $keyid 2>&1`);
$lines = ""; $lines = "";
$gpgarr = explode("\n", $gpg); $gpgarr = explode("\n", $gpg);
foreach($gpgarr as $line) foreach($gpgarr as $line)