cacert
/
cacert-webdb
9
0
Fork 0
Code Issues Pull Requests 2 Projects Releases 4 Wiki Activity

Fix cats_import

Browse Source 
- compare the client certificate email address directly instead of
  trying to match DN parts
- improve handling of IP addresses
pull/25/head
Jan Dittberner 2 weeks ago
parent 4edf5c0cc5
commit bba0b479d5
1 changed files with 9 additions and 15 deletions
Show Stats Download Patch File Download Diff File

24
www/cats/cats_import.php
Unescape Escape View File

@ -1,6 +1,6 @@
<? /* <? /*
LibreSSL - CAcert web application LibreSSL - CAcert web application
Copyright (C) 2004-2008 CAcert Inc. Copyright (C) 2004-2024 CAcert Inc.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -31,25 +31,19 @@ function sanitize_string($buffer) {
} }
define ('UNDEFINED', 'nd'); define ('UNDEFINED', 'nd');
define ('ALLOWED_IP', '213.154.225.243');
define ('ALLOWED_IP2', '172.16.2.27');
define ('CONFIG_FILEPATH', '/www/'); define ('CONFIG_FILEPATH', '/www/');
$expected_client_address = 'cats@cacert.org';
$allowed_ip_addresses = ['213.154.225.243', '172.16.2.27'];
$remote_addr = (isset($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:UNDEFINED; $remote_addr = (isset($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:UNDEFINED;
$server_name = (isset($_SERVER['SERVER_NAME']))?$_SERVER['SERVER_NAME']:UNDEFINED; $server_name = (isset($_SERVER['SERVER_NAME']))?$_SERVER['SERVER_NAME']:UNDEFINED;
$https = (isset($_SERVER['HTTPS']))?$_SERVER['HTTPS']:UNDEFINED; $https = (isset($_SERVER['HTTPS']))?$_SERVER['HTTPS']:UNDEFINED;
$ssl_client_s_dn = (isset($_SERVER['SSL_CLIENT_S_DN']))?$_SERVER['SSL_CLIENT_S_DN']:UNDEFINED; $ssl_client_email = (isset($_SERVER['SSL_CLIENT_S_DN_Email']))?$_SERVER['SSL_CLIENT_S_DN_Email']:UNDEFINED;
$access = FALSE; // Access only from cats.cacert.org with a client certificate for cats@cacert.org
$access = in_array($remote_addr, $allowed_ip_addresses) && ($https == 'on') && ($ssl_client_email == $expected_client_address);
// Access only from CATS.cacert.org with a client certificate for cats@cacert.org
if (
($remote_addr == ALLOWED_IP || $remote_addr == ALLOWED_IP2) &&
$https == 'on' &&
// Comment (to be romeved): better to use preg_match matching the end of the line (since this is on the end of the line right?)
// Ted: Is this specified? I don't think so, therefore I'd keep stristr
strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
) $access = TRUE;
if ($access !== TRUE) { if ($access !== TRUE) {
echo 'UNAUTHORIZED ACCESS<br>'."\r\n"; echo 'UNAUTHORIZED ACCESS<br>'."\r\n";

Write Preview
Loading…
Cancel
Save