Fix cats_import

- compare the client certificate email address directly instead of
  trying to match DN parts
- improve handling of IP addresses
This commit is contained in:
Jan Dittberner 2024-09-21 10:27:54 +02:00
parent 4edf5c0cc5
commit bba0b479d5

View file

@ -1,6 +1,6 @@
<? /*
LibreSSL - CAcert web application
Copyright (C) 2004-2008 CAcert Inc.
Copyright (C) 2004-2024 CAcert Inc.
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -31,25 +31,19 @@ function sanitize_string($buffer) {
}
define ('UNDEFINED', 'nd');
define ('ALLOWED_IP', '213.154.225.243');
define ('ALLOWED_IP2', '172.16.2.27');
define ('CONFIG_FILEPATH', '/www/');
$expected_client_address = 'cats@cacert.org';
$allowed_ip_addresses = ['213.154.225.243', '172.16.2.27'];
$remote_addr = (isset($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:UNDEFINED;
$server_name = (isset($_SERVER['SERVER_NAME']))?$_SERVER['SERVER_NAME']:UNDEFINED;
$https = (isset($_SERVER['HTTPS']))?$_SERVER['HTTPS']:UNDEFINED;
$ssl_client_s_dn = (isset($_SERVER['SSL_CLIENT_S_DN']))?$_SERVER['SSL_CLIENT_S_DN']:UNDEFINED;
$ssl_client_email = (isset($_SERVER['SSL_CLIENT_S_DN_Email']))?$_SERVER['SSL_CLIENT_S_DN_Email']:UNDEFINED;
$access = FALSE;
// Access only from CATS.cacert.org with a client certificate for cats@cacert.org
if (
($remote_addr == ALLOWED_IP || $remote_addr == ALLOWED_IP2) &&
$https == 'on' &&
// Comment (to be romeved): better to use preg_match matching the end of the line (since this is on the end of the line right?)
// Ted: Is this specified? I don't think so, therefore I'd keep stristr
strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
) $access = TRUE;
// Access only from cats.cacert.org with a client certificate for cats@cacert.org
$access = in_array($remote_addr, $allowed_ip_addresses) && ($https == 'on') && ($ssl_client_email == $expected_client_address);
if ($access !== TRUE) {
echo 'UNAUTHORIZED ACCESS<br>'."\r\n";