bug 1272: Properly escape the filename passed to OpenSSL
authorBenny Baumann <BenBE@geshi.org>
Fri, 18 Apr 2014 22:45:25 +0000 (00:45 +0200)
committerBenny Baumann <BenBE@geshi.org>
Fri, 18 Apr 2014 22:45:25 +0000 (00:45 +0200)
includes/account.php
scripts/cron/warning.php
scripts/scanforexponents.php
www/api/ccsr.php

index 09c123b..8c86d4f 100644 (file)
@@ -395,7 +395,8 @@ function buildSubjectFromSession() {
                        fputs($fp, $emails);
                        fclose($fp);
                        $challenge=$_SESSION['spkac_hash'];
-                       $res=`openssl spkac -verify -in $CSRname`;
+                       $CSRname_esc = escapeshellarg($CSRname);
+                       $res=`openssl spkac -verify -in $CSRname_esc`;
                        if(!strstr($res,"Challenge String: ".$challenge))
                        {
                                $id = $oldid;
@@ -457,7 +458,9 @@ function buildSubjectFromSession() {
                                $csrsubject .= "/emailAddress = ".$user['uniqueID'];
 
                        $tmpname = tempnam("/tmp", "id4csr");
-                       $do = `/usr/bin/openssl req -in $tmpfname -out $tmpname`; // -subj "$csr"`;
+                       $tmpfname_esc = escapeshellarg($tmpfname);
+                       $tmpname_esc = escapeshellarg($tmpname);
+                       $do = `/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc`; // -subj "$csr"`;
                        @unlink($tmpfname);
                        $csr = "";
                        $fp = fopen($tmpname, "r");
@@ -733,9 +736,9 @@ function buildSubjectFromSession() {
                $fp = fopen($_SESSION['_config']['tmpfname'], "w");
                fputs($fp, $CSR);
                fclose($fp);
-               $CSR = $_SESSION['_config']['tmpfname'];
-               $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep "Subject:"`);
-               $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
+               $CSR = escapeshellarg($_SESSION['_config']['tmpfname']);
+               $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep "Subject:"`);
+               $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
                foreach($bits as $val)
                {
                        $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@@ -900,8 +903,9 @@ function buildSubjectFromSession() {
                                $newid = mysql_insert_id();
                                $newfile=generatecertpath("csr","server",$newid);
                                copy($row['csr_name'], $newfile);
-                               $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$newfile"|tr -d "\\0"|grep "Subject:"`);
-                               $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$newfile"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
+                               $newfile_esc = escapeshellarg($newfile);
+                               $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d "\\0"|grep "Subject:"`);
+                               $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
                                foreach($bits as $val)
                                {
                                        $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@@ -930,7 +934,8 @@ function buildSubjectFromSession() {
                                        printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions."), "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
                                } else {
                                        $drow = mysql_fetch_assoc($res);
-                                       $cert = `/usr/bin/openssl x509 -in $drow[crt_name]`;
+                                       $crt_name = escapeshellarg($drow['crt_name']);
+                                       $cert = `/usr/bin/openssl x509 -in $crt_name`;
                                        echo "<pre>\n$cert\n</pre>\n";
                                }
                        }
@@ -1552,7 +1557,8 @@ function buildSubjectFromSession() {
                        fputs($fp, $emails);
                        fclose($fp);
                        $challenge=$_SESSION['spkac_hash'];
-                       $res=`openssl spkac -verify -in $CSRname`;
+                       $CSRname_esc = escapeshellarg($CSRName);
+                       $res=`openssl spkac -verify -in $CSRname_esc`;
                        if(!strstr($res,"Challenge String: ".$challenge))
                        {
                                $id = $oldid;
@@ -1604,7 +1610,9 @@ function buildSubjectFromSession() {
                                $csrsubject .= "/countryName=".$org['C'];
 
                        $tmpname = tempnam("/tmp", "id17csr");
-                       $do = `/usr/bin/openssl req -in $tmpfname -out $tmpname`;
+                       $tmpfname_esc = escapeshellarg($tmpfname);
+                       $tmpname_esc = escapeshellarg($tmpname);
+                       $do = `/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc`;
                        @unlink($tmpfname);
                        $csr = "";
                        $fp = fopen($tmpname, "r");
@@ -1860,9 +1868,9 @@ function buildSubjectFromSession() {
                $fp = fopen($_SESSION['_config']['tmpfname'], "w");
                fputs($fp, $CSR);
                fclose($fp);
-               $CSR = $_SESSION['_config']['tmpfname'];
-               $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep "Subject:"`);
-               $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in "$CSR"|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
+               $CSR = escapeshellarg($_SESSION['_config']['tmpfname']);
+               $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep "Subject:"`);
+               $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
                foreach($bits as $val)
                {
                        $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@@ -2080,7 +2088,8 @@ function buildSubjectFromSession() {
                                        printf(_("Your certificate request has failed to be processed correctly, see %sthe WIKI page%s for reasons and solutions.")." newid: $newid", "<a href='http://wiki.cacert.org/wiki/FAQ/CertificateRenewal'>", "</a>");
                                } else {
                                        $drow = mysql_fetch_assoc($res);
-                                       $cert = `/usr/bin/openssl x509 -in $drow[crt_name]`;
+                                       $crtname = escapeshellarg($drow['crt_name']);
+                                       $cert = `/usr/bin/openssl x509 -in $crtname`;
                                        echo "<pre>\n$cert\n</pre>\n";
                                }
                        }
index 0c97ba2..8f607cd 100755 (executable)
@@ -38,7 +38,8 @@
                        {
                                $row['crt_name'] = str_replace("../", "www/", $row['crt_name']);
                                $row['crt_name'] = "/home/cacert/".$row['crt_name'];
-                               $subject = `openssl x509 -in '$row[crt_name]' -text -noout|grep Subject:`;
+                               $crt_name = escapeshellarg($row['crt_name']);
+                               $subject = `openssl x509 -in $crt_name -text -noout|grep Subject:`;
                                $bits = explode("/", $subject);
                                foreach($bits as $val)
                                {
index 7136723..388fe1e 100755 (executable)
                if(!is_file($file))
                        continue;
 
+               $file_esc = escapeshellarg($file);
                if(substr($file, -3) == "der")
-                       $do = trim(`openssl x509 -inform der -in $file -text -noout 2>&1 |grep 'Exponent'`);
+                       $do = trim(`openssl x509 -inform der -in $file_esc -text -noout 2>&1 |grep 'Exponent'`);
                else
-                       $do = trim(`openssl x509 -in $file -text -noout 2>&1 |grep 'Exponent'`);
+                       $do = trim(`openssl x509 -in $file_esc -text -noout 2>&1 |grep 'Exponent'`);
 
                if($do == "")
                        continue;
index 7efdf8d..403882f 100644 (file)
@@ -73,7 +73,9 @@ require_once '../../includes/lib/check_weak_key.php';
        $fp = fopen($incsr, "w");
        fputs($fp, $CSR);
        fclose($fp);
-       $do = `/usr/bin/openssl req -in $incsr -out $checkedcsr`;
+       $incsr_esc = escapeshellarg($incsr);
+       $checkedcsr_esc = escapeshellarg($checkedcsr);
+       $do = `/usr/bin/openssl req -in $incsr_esc -out $checkedcsr_esc`;
        @unlink($incsr);
        if(filesize($checkedcsr) <= 0)
                die("404,Invalid or missing CSR");