This change fixes the client certificate login for cases where duplicate
serial numbers have been issued and recorded in the emailcerts table.
Email addresses from the client certificate are used as an additional
matching parameter.
- includes/lib/general.php got a new function
get_email_addresses_from_client_cert to create an array of email
addresses from the environment variables set by Apache httpd
- includes/loggedin.php and www/index.php use the new function to pass
email addresses to the get_user_id_from_cert function
- get_user_id_from_cert in includes/lib/general.php has been enhanced to
use a JOIN over the emailcerts, root_certs and email tables. All
parameters are escaped via mysql_real_escape_string
- SQL errors in get_user_id_from_cert are now handled
- a match from get_user_id_from_cert is only returned when there is
exactly one row in the result set
The code and the used query have been tested with Apache 2.4.10 and PHP
5.6 from Debian Jessie and a MariaDB 10.11 in strict mode using a
container based test setup to match the current production setup as
close as possible.
This change removes locale/cv.c. It does not seem to be used anywhere in
the current system. None of the current critical team members knows
about its history. It might have been replaced by
locale/escape_special_chars.php long ago.
This commit adds a migration script to add missing DEFAULT values on the
users table. INSERTs into the users table fail without these DEFAULTs on
MariaDB in strict mode.
MySQL tolerated INSERTs of an empty string in the type column of the
ordomaincerts table. This commit uses an integer value of 0 as default
instead to ensure that MariaDB with strict settings accepts the INSERT
too.
This commit introduces a fix for wrongly inserted email addresses that
have a memid=0 field because of MariaDBs strict mode that was enabled
after moving from MySQL to MariaDB.
Fixes https://bugs.cacert.org/view.php?id=1543
CAcert Class1 root certificate needs to be reissued with
an updated CDP and a SHA-based signature.
See the message thread preserved in
https://lists.cacert.org/wws/arc/cacert-systemlog/2016-03/
for more information on the re-signed root certificates
installed and enabled by this commit.
CAcert Class1 root certificate needs to be reissued with
an updated CDP and a SHA-based signature.
See the message thread preserved in
https://lists.cacert.org/wws/arc/cacert-systemlog/2016-03/
for more information on the re-signed root certificates
installed and enabled by this commit.