summaryrefslogtreecommitdiff
path: root/www
diff options
context:
space:
mode:
authorMichael Tänzer <neo@nhng.de>2013-09-17 22:52:52 +0200
committerMichael Tänzer <neo@nhng.de>2013-09-17 22:52:52 +0200
commitdd16a1106e8652a7698e6eedbc0a7134ad493d4e (patch)
treee7deb6ffdd58c7fa2fbdd44762c1510b07cc2514 /www
parented332a25dedba4b372d45e4bc4d5276d96d6ae38 (diff)
downloadcacert-devel-dd16a1106e8652a7698e6eedbc0a7134ad493d4e.tar.gz
cacert-devel-dd16a1106e8652a7698e6eedbc0a7134ad493d4e.tar.xz
cacert-devel-dd16a1106e8652a7698e6eedbc0a7134ad493d4e.zip
bug 1199: Escape the keyid if it's put into a shell command and get rid ofbug-1199
variable shadowing/overwriting Signed-off-by: Michael Tänzer <neo@nhng.de>
Diffstat (limited to 'www')
-rw-r--r--www/gpg.php23
1 files changed, 13 insertions, 10 deletions
diff --git a/www/gpg.php b/www/gpg.php
index f24d84c..829bbcf 100644
--- a/www/gpg.php
+++ b/www/gpg.php
@@ -319,10 +319,10 @@ function verifyEmail($email)
`keyid`='".mysql_real_escape_string($keyid)."',
`description`='".mysql_real_escape_string($description)."'";
mysql_query($query);
- $id = mysql_insert_id();
+ $insert_id = mysql_insert_id();
- $cwd = '/tmp/gpgspace'.$id;
+ $cwd = '/tmp/gpgspace'.$insert_id;
mkdir($cwd,0755);
$fp = fopen("$cwd/gpg.csr", "w");
@@ -333,7 +333,8 @@ function verifyEmail($email)
system("gpg --homedir $cwd --import $cwd/gpg.csr");
- $gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $keyid 2>&1`);
+ $cmd_keyid = escapeshellarg($keyid);
+ $gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $cmd_keyid 2>&1`);
$lines = "";
$gpgarr = explode("\n", $gpg);
foreach($gpgarr as $line)
@@ -433,7 +434,8 @@ function verifyEmail($email)
//echo "Keyid: $keyid\n";
- $process = proc_open("/usr/bin/gpg --homedir $cwd --no-tty --command-fd 0 --status-fd 1 --logger-fd 2 --edit-key $keyid", $descriptorspec, $pipes);
+ $cmd_keyid = escapeshellarg($keyid);
+ $process = proc_open("/usr/bin/gpg --homedir $cwd --no-tty --command-fd 0 --status-fd 1 --logger-fd 2 --edit-key $cmd_keyid", $descriptorspec, $pipes);
//echo "Process: $process\n";
//fputs($stderr,"Process: $process\n");
@@ -515,15 +517,16 @@ function verifyEmail($email)
}
- $csrname=generatecertpath("csr","gpg",$id);
- $do=`gpg --homedir $cwd --batch --export-options export-minimal --export $keyid >$csrname`;
+ $csrname=generatecertpath("csr","gpg",$insert_id);
+ $cmd_keyid = escapeshellarg($keyid);
+ $do=`gpg --homedir $cwd --batch --export-options export-minimal --export $cmd_keyid >$csrname`;
- mysql_query("update `gpg` set `csr`='$csrname' where `id`='$id'");
- waitForResult('gpg', $id);
+ mysql_query("update `gpg` set `csr`='$csrname' where `id`='$insert_id'");
+ waitForResult('gpg', $insert_id);
showheader(_("Welcome to CAcert.org"));
echo $resulttable;
- $query = "select * from `gpg` where `id`='$id' and `crt`!=''";
+ $query = "select * from `gpg` where `id`='$insert_id' and `crt`!=''";
$res = mysql_query($query);
if(mysql_num_rows($res) <= 0)
{
@@ -531,7 +534,7 @@ function verifyEmail($email)
echo _("If this is a re-occuring problem, please send a copy of the key you are trying to signed to support@cacert.org. Thank you.");
} else {
echo "<pre>";
- readfile(generatecertpath("crt","gpg",$id));
+ readfile(generatecertpath("crt","gpg",$insert_id));
echo "</pre>";
}