summaryrefslogtreecommitdiff
path: root/www/cats
diff options
context:
space:
mode:
authorMarkus Warg <mw@it-sls.de>2010-03-29 09:54:06 +0200
committerMarkus Warg <mw@it-sls.de>2010-03-29 09:54:06 +0200
commit9dceece06fbdc98add6f76f0b1aec05891a394c4 (patch)
treef7227c28ca5f79f30c2ec81ba1a09a4fe3972436 /www/cats
parent5b68967def224a00f54eb54946ff17301bbd3cdb (diff)
downloadcacert-devel-9dceece06fbdc98add6f76f0b1aec05891a394c4.tar.gz
cacert-devel-9dceece06fbdc98add6f76f0b1aec05891a394c4.tar.xz
cacert-devel-9dceece06fbdc98add6f76f0b1aec05891a394c4.zip
remove cacert/ prefix
Diffstat (limited to 'www/cats')
-rw-r--r--www/cats/.#cats_import.php.1.2165
-rw-r--r--www/cats/CVS/Entries2
-rw-r--r--www/cats/CVS/Repository1
-rw-r--r--www/cats/CVS/Root1
-rw-r--r--www/cats/cats_import.php166
5 files changed, 335 insertions, 0 deletions
diff --git a/www/cats/.#cats_import.php.1.2 b/www/cats/.#cats_import.php.1.2
new file mode 100644
index 0000000..ec73b1b
--- /dev/null
+++ b/www/cats/.#cats_import.php.1.2
@@ -0,0 +1,165 @@
+<? /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2008 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+
+// Comment (to be romeved): better to disable shot open tags in php.ini
+
+/*
+ cats_import.php
+
+ API for CATS to import passed tests into main CAcert database.
+*/
+
+function sanitize_string($buffer) {
+ return htmlentities(utf8_decode($buffer), (int)ENQ_QUOTES);
+}
+
+define ('UNDEFINED', 'nd');
+define ('ALLOWED_IP', '72.21.48.90');
+define ('CONFIG_FILEPATH', '/www/');
+
+$remote_addr = (isset($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:UNDEFINED;
+$server_name = (isset($_SERVER['SERVER_NAME']))?$_SERVER['SERVER_NAME']:UNDEFINED;
+$https = (isset($_SERVER['HTTPS']))?$_SERVER['HTTPS']:UNDEFINED;
+$ssl_client_s_dn = (isset($_SERVER['SSL_CLIENT_S_DN']))?$_SERVER['SSL_CLIENT_S_DN']:UNDEFINED;
+
+$access = FALSE;
+
+// Access only from CATS.cacert.org with a client certificate for cats@cacert.org
+if (
+ $remote_addr == ALLOWED_IP &&
+ $https == 'on' &&
+ // Comment (to be romeved): better to use preg_match matching the end of the line (since this is on the end of the line right?)
+ // Ted: Is this specified? I don't think so, therefore I'd keep stristr
+ strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
+) $access = TRUE;
+
+if ($access !== TRUE) {
+ echo 'UNAUTHORIZED ACCESS<br>'."\r\n";
+ echo 'IP: '.sanitize_string($remote_addr).'<br>'."\r\n";
+ echo 'Server: '.sanitize_string($server_name).'<br>'."\r\n";
+ echo 'HTTPS: '.sanitize_string($https).'<br>'."\r\n";
+ echo 'Client cert: '.sanitize_string($ssl_client_s_dn).'<br>'."\r\n";
+ trigger_error('Unauthorized access: ip('.$remote_addr.') server('.$server_name.') https('.$https.') cert('.$ssl_client_s_dn.')', E_USER_ERROR);
+ exit();
+}
+
+// Comment (to be romeved): do you we session autostart in php.ini??
+// Ted: Sessions are quite meaningless for me since the upload protocol is stateless. Should session_start be called nevertheless?
+session_start();
+
+require_once(CONFIG_FILEPATH.'includes/mysql.php');
+
+// Comment (to be romeved): dunno the difference between stripslashes and stripcslashes
+// manual is iunclear too, please make sure there are no decoding issues
+// Ted: I just used it here because I saw it elsewhere and it seems to work. Would you prefer stripslashes?
+if (get_magic_quotes_gpc()) {
+ $serial = stripcslashes($_POST['serial']);
+ $root = stripcslashes($_POST['root']);
+ $type = stripcslashes($_POST['type']);
+ $variant = stripcslashes($_POST['variant']);
+ $date = stripcslashes($_POST['date']);
+} else {
+ $serial = $_POST['serial'];
+ $root = $_POST['root'];
+ $type = $_POST['type'];
+ $variant = $_POST['variant'];
+ $date = $_POST['date'];
+}
+
+// Explicitly select all those IDs so I can insert new rows if needed.
+$query = mysql_query('SELECT `id` FROM `cats_type` WHERE `type_text` = \''.mysql_real_escape_string($type).'\';');
+if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+ $result = mysql_fetch_array($query);
+ $typeID = $result['0'];
+} else {
+ $query = mysql_query('INSERT INTO `cats_type` (`type_text`) VALUES (\''.mysql_real_escape_string($type).'\');');
+ if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+ }
+
+ $typeID = mysql_insert_id();
+}
+
+$query = mysql_query('SELECT `id` FROM `cats_variant` WHERE `type_id` = \''.(int)intval($typeID).'\' AND `test_text` = \''.mysql_real_escape_string($variant).'\';');
+if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+ $result = mysql_fetch_array($query);
+ $variantID = $result['0'];
+} else {
+ $query = mysql_query('INSERT INTO `cats_variant` (`type_id`, `test_text`) VALUES (\''.(int)intval($typeID).'\', \''.mysql_real_escape_string($variant).'\');');
+ if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+ }
+
+ $variantID = mysql_insert_id();
+}
+
+// Now find the userid from cert serial
+$query = mysql_query('SELECT `ec`.`memid` FROM `emailcerts` AS `ec`, `root_certs` AS `rc` WHERE `ec`.`rootcert` = `rc`.`id` AND `ec`.`serial` = \''.mysql_real_escape_string($serial).'\' AND `rc`.`cert_text` = \''.mysql_real_escape_string($root).'\';');
+if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+ $result = mysql_fetch_array($query);
+ $userID = $result['0'];
+} else {
+ echo 'Cannot find cert '.sanitize_string($serial).' / '.sanitize_string($root)."\r\n";
+ // Let's treat this as an error, since it should not happen.
+ trigger_error('Cannot find cert '.$serial.' / '.$root.'!'.mysql_error(), E_USER_ERROR);
+ exit();
+}
+
+// The unique constraint on cats_passed assures that records are not stored multiply
+$query = mysql_query('INSERT INTO `cats_passed` (`user_id`, `variant_id`, `pass_date`) VALUES (\''.(int)intval($userID).'\', \''.(int)intval($variantID).'\', \''.mysql_real_escape_string($date).'\');');
+if (!$query) {
+ if (mysql_errno() != 1062) { // Duplicate Entry is considered success
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+ }
+}
+
+// Update Assurer-Flag on users table if 100 points. Should the number of points be SUM(points) or SUM(awarded)?
+$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE `u`.`id` = \''.(int)intval($userID).'\' AND EXISTS(SELECT 1 FROM `cats_passed` AS `tp` WHERE `tp`.`user_id` = `u`.`id`) AND (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `expire` < now()) >= 100;'); // Challenge has been passed and non-expired points >= 100
+if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+}
+
+echo 'OK'."\r\n";
+
+?>
diff --git a/www/cats/CVS/Entries b/www/cats/CVS/Entries
new file mode 100644
index 0000000..f863143
--- /dev/null
+++ b/www/cats/CVS/Entries
@@ -0,0 +1,2 @@
+/cats_import.php/1.5/Wed Oct 22 11:07:58 2008//
+D
diff --git a/www/cats/CVS/Repository b/www/cats/CVS/Repository
new file mode 100644
index 0000000..96342a9
--- /dev/null
+++ b/www/cats/CVS/Repository
@@ -0,0 +1 @@
+cacert/www/cats
diff --git a/www/cats/CVS/Root b/www/cats/CVS/Root
new file mode 100644
index 0000000..a363882
--- /dev/null
+++ b/www/cats/CVS/Root
@@ -0,0 +1 @@
+/var/lib/cvs
diff --git a/www/cats/cats_import.php b/www/cats/cats_import.php
new file mode 100644
index 0000000..6d77a75
--- /dev/null
+++ b/www/cats/cats_import.php
@@ -0,0 +1,166 @@
+<? /*
+ LibreSSL - CAcert web application
+ Copyright (C) 2004-2008 CAcert Inc.
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 of the License.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+
+// Comment (to be romeved): better to disable shot open tags in php.ini
+
+/*
+ cats_import.php
+
+ API for CATS to import passed tests into main CAcert database.
+*/
+
+function sanitize_string($buffer) {
+ return htmlentities(utf8_decode($buffer), (int)ENQ_QUOTES);
+}
+
+define ('UNDEFINED', 'nd');
+define ('ALLOWED_IP', '213.154.225.228');
+define ('ALLOWED_IP2', '193.238.157.112');
+define ('CONFIG_FILEPATH', '/www/');
+
+$remote_addr = (isset($_SERVER['REMOTE_ADDR']))?$_SERVER['REMOTE_ADDR']:UNDEFINED;
+$server_name = (isset($_SERVER['SERVER_NAME']))?$_SERVER['SERVER_NAME']:UNDEFINED;
+$https = (isset($_SERVER['HTTPS']))?$_SERVER['HTTPS']:UNDEFINED;
+$ssl_client_s_dn = (isset($_SERVER['SSL_CLIENT_S_DN']))?$_SERVER['SSL_CLIENT_S_DN']:UNDEFINED;
+
+$access = FALSE;
+
+// Access only from CATS.cacert.org with a client certificate for cats@cacert.org
+if (
+ ($remote_addr == ALLOWED_IP || $remote_addr == ALLOWED_IP2) &&
+ $https == 'on' &&
+ // Comment (to be romeved): better to use preg_match matching the end of the line (since this is on the end of the line right?)
+ // Ted: Is this specified? I don't think so, therefore I'd keep stristr
+ strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
+) $access = TRUE;
+
+if ($access !== TRUE) {
+ echo 'UNAUTHORIZED ACCESS<br>'."\r\n";
+ echo 'IP: '.sanitize_string($remote_addr).'<br>'."\r\n";
+ echo 'Server: '.sanitize_string($server_name).'<br>'."\r\n";
+ echo 'HTTPS: '.sanitize_string($https).'<br>'."\r\n";
+ echo 'Client cert: '.sanitize_string($ssl_client_s_dn).'<br>'."\r\n";
+ trigger_error('Unauthorized access: ip('.$remote_addr.') server('.$server_name.') https('.$https.') cert('.$ssl_client_s_dn.')', E_USER_ERROR);
+ exit();
+}
+
+// Comment (to be romeved): do you we session autostart in php.ini??
+// Ted: Sessions are quite meaningless for me since the upload protocol is stateless. Should session_start be called nevertheless?
+session_start();
+
+require_once(CONFIG_FILEPATH.'includes/mysql.php');
+
+// Comment (to be romeved): dunno the difference between stripslashes and stripcslashes
+// manual is iunclear too, please make sure there are no decoding issues
+// Ted: I just used it here because I saw it elsewhere and it seems to work. Would you prefer stripslashes?
+if (get_magic_quotes_gpc()) {
+ $serial = stripcslashes($_POST['serial']);
+ $root = stripcslashes($_POST['root']);
+ $type = stripcslashes($_POST['type']);
+ $variant = stripcslashes($_POST['variant']);
+ $date = stripcslashes($_POST['date']);
+} else {
+ $serial = $_POST['serial'];
+ $root = $_POST['root'];
+ $type = $_POST['type'];
+ $variant = $_POST['variant'];
+ $date = $_POST['date'];
+}
+
+// Explicitly select all those IDs so I can insert new rows if needed.
+$query = mysql_query('SELECT `id` FROM `cats_type` WHERE `type_text` = \''.mysql_real_escape_string($type).'\';');
+if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+ $result = mysql_fetch_array($query);
+ $typeID = $result['0'];
+} else {
+ $query = mysql_query('INSERT INTO `cats_type` (`type_text`) VALUES (\''.mysql_real_escape_string($type).'\');');
+ if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+ }
+
+ $typeID = mysql_insert_id();
+}
+
+$query = mysql_query('SELECT `id` FROM `cats_variant` WHERE `type_id` = \''.(int)intval($typeID).'\' AND `test_text` = \''.mysql_real_escape_string($variant).'\';');
+if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+ $result = mysql_fetch_array($query);
+ $variantID = $result['0'];
+} else {
+ $query = mysql_query('INSERT INTO `cats_variant` (`type_id`, `test_text`) VALUES (\''.(int)intval($typeID).'\', \''.mysql_real_escape_string($variant).'\');');
+ if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+ }
+
+ $variantID = mysql_insert_id();
+}
+
+// Now find the userid from cert serial
+$query = mysql_query('SELECT `ec`.`memid` FROM `emailcerts` AS `ec`, `root_certs` AS `rc` WHERE `ec`.`rootcert` = `rc`.`id` AND `ec`.`serial` = \''.mysql_real_escape_string($serial).'\' AND `rc`.`cert_text` = \''.mysql_real_escape_string($root).'\';');
+if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+}
+
+if (mysql_num_rows($query) > 0) {
+ $result = mysql_fetch_array($query);
+ $userID = $result['0'];
+} else {
+ echo 'Cannot find cert '.sanitize_string($serial).' / '.sanitize_string($root)."\r\n";
+ // Let's treat this as an error, since it should not happen.
+ trigger_error('Cannot find cert '.$serial.' / '.$root.'!'.mysql_error(), E_USER_ERROR);
+ exit();
+}
+
+// The unique constraint on cats_passed assures that records are not stored multiply
+$query = mysql_query('INSERT INTO `cats_passed` (`user_id`, `variant_id`, `pass_date`) VALUES (\''.(int)intval($userID).'\', \''.(int)intval($variantID).'\', \''.mysql_real_escape_string($date).'\');');
+if (!$query) {
+ if (mysql_errno() != 1062) { // Duplicate Entry is considered success
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+ }
+}
+
+// Update Assurer-Flag on users table if 100 points. Should the number of points be SUM(points) or SUM(awarded)?
+$query = mysql_query('UPDATE `users` AS `u` SET `assurer` = 1 WHERE `u`.`id` = \''.(int)intval($userID).'\' AND EXISTS(SELECT 1 FROM `cats_passed` AS `tp` WHERE `tp`.`user_id` = `u`.`id`) AND (SELECT SUM(`points`) FROM `notary` AS `n` WHERE `n`.`to` = `u`.`id` AND `expire` < now()) >= 100;'); // Challenge has been passed and non-expired points >= 100
+if (!$query) {
+ echo 'Invalid query'."\r\n";
+ trigger_error('Invalid query', E_USER_ERROR);
+ exit();
+}
+
+echo 'OK'."\r\n";
+
+?>