cacert/cacert-webdb
9
0
Fork 0
Code Issues Pull requests 3 Projects Releases 4 Wiki Activity

Fix for http://bugs.cacert.org/view.php?id=1199

Browse source 
"arbitrary code injection"
This commit is contained in:
Wytze van der Raay 2013-10-16 10:43:34 +00:00
parent ae8f9f152b
commit 82b3c5f6a9
1 changed files with 13 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
www/gpg.php
View file

@ -319,10 +319,10 @@ function verifyEmail($email)
`keyid`='".mysql_real_escape_string($keyid)."', `keyid`='".mysql_real_escape_string($keyid)."',
`description`='".mysql_real_escape_string($description)."'"; `description`='".mysql_real_escape_string($description)."'";
mysql_query($query); mysql_query($query);
$id = mysql_insert_id(); $insert_id = mysql_insert_id();
$cwd = '/tmp/gpgspace'.$id; $cwd = '/tmp/gpgspace'.$insert_id;
mkdir($cwd,0755); mkdir($cwd,0755);
$fp = fopen("$cwd/gpg.csr", "w"); $fp = fopen("$cwd/gpg.csr", "w");
@ -333,7 +333,8 @@ function verifyEmail($email)
system("gpg --homedir $cwd --import $cwd/gpg.csr"); system("gpg --homedir $cwd --import $cwd/gpg.csr");
$gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $keyid 2>&1`); $cmd_keyid = escapeshellarg($keyid);
$gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $cmd_keyid 2>&1`);
$lines = ""; $lines = "";
$gpgarr = explode("\n", $gpg); $gpgarr = explode("\n", $gpg);
foreach($gpgarr as $line) foreach($gpgarr as $line)
@ -433,7 +434,8 @@ function verifyEmail($email)
//echo "Keyid: $keyid\n"; //echo "Keyid: $keyid\n";
$process = proc_open("/usr/bin/gpg --homedir $cwd --no-tty --command-fd 0 --status-fd 1 --logger-fd 2 --edit-key $keyid", $descriptorspec, $pipes); $cmd_keyid = escapeshellarg($keyid);
$process = proc_open("/usr/bin/gpg --homedir $cwd --no-tty --command-fd 0 --status-fd 1 --logger-fd 2 --edit-key $cmd_keyid", $descriptorspec, $pipes);
//echo "Process: $process\n"; //echo "Process: $process\n";
//fputs($stderr,"Process: $process\n"); //fputs($stderr,"Process: $process\n");
@ -515,15 +517,16 @@ function verifyEmail($email)
} }
$csrname=generatecertpath("csr","gpg",$id); $csrname=generatecertpath("csr","gpg",$insert_id);
$do=`gpg --homedir $cwd --batch --export-options export-minimal --export $keyid >$csrname`; $cmd_keyid = escapeshellarg($keyid);
$do=`gpg --homedir $cwd --batch --export-options export-minimal --export $cmd_keyid >$csrname`;
mysql_query("update `gpg` set `csr`='$csrname' where `id`='$id'"); mysql_query("update `gpg` set `csr`='$csrname' where `id`='$insert_id'");
waitForResult('gpg', $id); waitForResult('gpg', $insert_id);
showheader(_("Welcome to CAcert.org")); showheader(_("Welcome to CAcert.org"));
echo $resulttable; echo $resulttable;
$query = "select * from `gpg` where `id`='$id' and `crt`!=''"; $query = "select * from `gpg` where `id`='$insert_id' and `crt`!=''";
$res = mysql_query($query); $res = mysql_query($query);
if(mysql_num_rows($res) <= 0) if(mysql_num_rows($res) <= 0)
{ {
@ -531,7 +534,7 @@ function verifyEmail($email)
echo _("If this is a re-occuring problem, please send a copy of the key you are trying to signed to support@cacert.org. Thank you."); echo _("If this is a re-occuring problem, please send a copy of the key you are trying to signed to support@cacert.org. Thank you.");
} else { } else {
echo "<pre>"; echo "<pre>";
readfile(generatecertpath("crt","gpg",$id)); readfile(generatecertpath("crt","gpg",$insert_id));
echo "</pre>"; echo "</pre>";
} }