diff options
author | Felix Dörre <felix@dogcraft.de> | 2014-06-15 10:39:04 +0200 |
---|---|---|
committer | Felix Dörre <felix@dogcraft.de> | 2014-06-15 10:59:31 +0200 |
commit | b6ee5404b9dcc3df6ace5f640f522118d18b818d (patch) | |
tree | eae5a40733cde853c993588bee9a1420bbbc9b3d /pages | |
parent | 6d0f414854b2c1aa1da9ec49889ac9bb3b69b966 (diff) | |
download | cacert-devel-b6ee5404b9dcc3df6ace5f640f522118d18b818d.tar.gz cacert-devel-b6ee5404b9dcc3df6ace5f640f522118d18b818d.tar.xz cacert-devel-b6ee5404b9dcc3df6ace5f640f522118d18b818d.zip |
bug 1273: replace backtick operators with shell_exec
+ fix 1 missing escapeshellarg
Commands used to locate:
1.
find includes -type f -name '*.php' -exec cat {} \; \
| tr '\n' '?' | sed 's/\(\$query .\?= \|\
mysql_query(\|query_init (\)"\([^"]\|".\(\(intval\|mysql_real_escape_string\)\
(\$[^\$)]\+)\|\$_SESSION\(\['_config'\]\['user'\]\['Q[1-5]'\]\
\|['_config']['disablelogin']\)\)[ ?]*."\)*"/mysql-substitute/g'\
| tr '?' '\n' | grep --color=always "\`"|less -r
and reviewing the queries by hand.
This command replaces out strings obviously looking
like sql_queries and then outputting al remaining backticks:
starting with "$query = ,mysql_query, ..."
and are only interrupted by "safe" calls:
- mysql_real_escape_string
- intval
- pre_escaped session variables
(This command may also be used for locating
bad escaped sql_queries)
2. grep -r "\`\(grep\|/\|echo\|dig\|openssl\|gpg\|rm\|../\)" www includes pages \
| grep -v '\(from\|update\|into\) `gpg'
Diffstat (limited to 'pages')
-rw-r--r-- | pages/account/15.php | 2 | ||||
-rw-r--r-- | pages/account/19.php | 2 | ||||
-rw-r--r-- | pages/account/23.php | 2 | ||||
-rw-r--r-- | pages/account/6.php | 6 |
4 files changed, 6 insertions, 6 deletions
diff --git a/pages/account/15.php b/pages/account/15.php index 6cd3115..405cb44 100644 --- a/pages/account/15.php +++ b/pages/account/15.php @@ -30,7 +30,7 @@ } $row = mysql_fetch_assoc($res); $crtname=escapeshellarg($row['crt_name']); - $cert = `/usr/bin/openssl x509 -in $crtname`; + $cert = shell_exec("/usr/bin/openssl x509 -in $crtname"); ?> <h3><?=_("Below is your Server Certificate")?></h3> <pre> diff --git a/pages/account/19.php b/pages/account/19.php index 6a2749c..959111f 100644 --- a/pages/account/19.php +++ b/pages/account/19.php @@ -31,7 +31,7 @@ } $row = mysql_fetch_assoc($res); $crtname=escapeshellarg($row['crt_name']); - $cert = `/usr/bin/openssl x509 -in $crtname`; + $cert = shell_exec("/usr/bin/openssl x509 -in $crtname"); if($row['keytype'] == "NS") { diff --git a/pages/account/23.php b/pages/account/23.php index 4ec56c3..4255b47 100644 --- a/pages/account/23.php +++ b/pages/account/23.php @@ -30,7 +30,7 @@ } $row = mysql_fetch_assoc($res); $crtname=escapeshellarg($row['crt_name']); - $cert = `/usr/bin/openssl x509 -in $crtname`; + $cert = shell_exec("/usr/bin/openssl x509 -in $crtname"); ?> <h3><?=_("Below is your Server Certificate")?></h3> <pre> diff --git a/pages/account/6.php b/pages/account/6.php index 305fccb..de8d1a3 100644 --- a/pages/account/6.php +++ b/pages/account/6.php @@ -60,7 +60,7 @@ if (array_key_exists('format', $_REQUEST)) { } $crtname=escapeshellarg($row['crt_name']); - $cert = `/usr/bin/openssl x509 -in $crtname $outform`; + $cert = shell_exec("/usr/bin/openssl x509 -in $crtname $outform"); header("Content-Type: application/pkix-cert"); header("Content-Length: ".strlen($cert)); @@ -82,7 +82,7 @@ if (array_key_exists('format', $_REQUEST)) { } else { // All other browsers $crtname=escapeshellarg($row['crt_name']); - $cert = `/usr/bin/openssl x509 -in $crtname -outform DER`; + $cert = shell_exec("/usr/bin/openssl x509 -in $crtname -outform DER"); header("Content-Type: application/x-x509-user-cert"); header("Content-Length: ".strlen($cert)); @@ -111,7 +111,7 @@ if (array_key_exists('format', $_REQUEST)) { // Allow to directly copy and paste the cert in PEM format $crtname=escapeshellarg($row['crt_name']); - $cert = `/usr/bin/openssl x509 -in $crtname -outform PEM`; + $cert = shell_exec("/usr/bin/openssl x509 -in $crtname -outform PEM"); echo "<pre>$cert</pre>"; ?> |