bug 1273: replace backtick operators with shell_exec
authorFelix Dörre <felix@dogcraft.de>
Sun, 15 Jun 2014 08:39:04 +0000 (10:39 +0200)
committerFelix Dörre <felix@dogcraft.de>
Sun, 15 Jun 2014 08:59:31 +0000 (10:59 +0200)
+ fix 1 missing escapeshellarg
Commands used to locate:
1.
find includes -type f -name '*.php' -exec cat {} \; \
| tr '\n' '?' | sed 's/\(\$query .\?= \|\
mysql_query(\|query_init (\)"\([^"]\|".\(\(intval\|mysql_real_escape_string\)\
(\$[^\$)]\+)\|\$_SESSION\(\['_config'\]\['user'\]\['Q[1-5]'\]\
\|['_config']['disablelogin']\)\)[ ?]*."\)*"/mysql-substitute/g'\
| tr '?' '\n' |  grep --color=always "\`"|less -r

and reviewing the queries by hand.

This command replaces out strings obviously looking
like sql_queries and then outputting al remaining backticks:

starting with "$query = ,mysql_query, ..."
and are only interrupted by "safe" calls:
- mysql_real_escape_string
- intval
- pre_escaped session variables

(This command may also be used for locating
 bad escaped sql_queries)

2. grep -r "\`\(grep\|/\|echo\|dig\|openssl\|gpg\|rm\|../\)" www includes pages \
| grep -v '\(from\|update\|into\) `gpg'

includes/account.php
includes/general.php
pages/account/15.php
pages/account/19.php
pages/account/23.php
pages/account/6.php
www/api/ccsr.php
www/gpg.php

index b1ab984..0f2f05d 100644 (file)
@@ -402,7 +402,7 @@ function buildSubjectFromSession() {
                        fclose($fp);
                        $challenge=$_SESSION['spkac_hash'];
                        $CSRname_esc = escapeshellarg($CSRname);
-                       $res=`openssl spkac -verify -in $CSRname_esc`;
+                       $res=shell_exec("openssl spkac -verify -in $CSRname_esc");
                        if(!strstr($res,"Challenge String: ".$challenge))
                        {
                                $id = $oldid;
@@ -466,7 +466,7 @@ function buildSubjectFromSession() {
                        $tmpname = tempnam("/tmp", "id4csr");
                        $tmpfname_esc = escapeshellarg($tmpfname);
                        $tmpname_esc = escapeshellarg($tmpname);
-                       $do = `/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc`; // -subj "$csr"`;
+                       $do = shell_exec("/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc"); // -subj "$csr";
                        @unlink($tmpfname);
                        $csr = "";
                        $fp = fopen($tmpname, "r");
@@ -570,7 +570,7 @@ function buildSubjectFromSession() {
                $addy = array();
                $adds = array();
                if(strtolower(substr($newdom, -4, 3)) != ".jp")
-                       $adds = explode("\n", trim(`/usr/bin/whois $newdom|grep "@"`));
+                       $adds = explode("\n", trim(shell_exec("/usr/bin/whois $newdom|grep \"@\"")));
                if(substr($newdomain, -4) == ".org" || substr($newdomain, -5) == ".info")
                {
                        if(is_array($adds))
@@ -740,8 +740,8 @@ function buildSubjectFromSession() {
                fputs($fp, $CSR);
                fclose($fp);
                $CSR = escapeshellarg($_SESSION['_config']['tmpfname']);
-               $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep "Subject:"`);
-               $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
+               $_SESSION['_config']['subject'] = trim(shell_exec("/usr/bin/openssl req -text -noout -in $CSR |tr -d \"\\0\"|grep \"Subject:\""));
+               $bits = explode(",", trim(shell_exec("/usr/bin/openssl req -text -noout -in $CSR |tr -d \"\\0\"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:")));
                foreach($bits as $val)
                {
                        $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@@ -911,8 +911,8 @@ function buildSubjectFromSession() {
                                $newfile=generatecertpath("csr","server",$newid);
                                copy($row['csr_name'], $newfile);
                                $newfile_esc = escapeshellarg($newfile);
-                               $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d "\\0"|grep "Subject:"`);
-                               $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
+                               $_SESSION['_config']['subject'] = trim(shell_exec("/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d \"\\0\"|grep \"Subject:\""));
+                               $bits = explode(",", trim(shell_exec("/usr/bin/openssl req -text -noout -in $newfile_esc |tr -d \"\\0\"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:")));
                                foreach($bits as $val)
                                {
                                        $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@@ -942,7 +942,7 @@ function buildSubjectFromSession() {
                                } else {
                                        $drow = mysql_fetch_assoc($res);
                                        $crt_name = escapeshellarg($drow['crt_name']);
-                                       $cert = `/usr/bin/openssl x509 -in $crt_name`;
+                                       $cert = shell_exec("/usr/bin/openssl x509 -in $crt_name");
                                        echo "<pre>\n$cert\n</pre>\n";
                                }
                        }
@@ -1559,7 +1559,7 @@ function buildSubjectFromSession() {
                        fclose($fp);
                        $challenge=$_SESSION['spkac_hash'];
                        $CSRname_esc = escapeshellarg($CSRname);
-                       $res=`openssl spkac -verify -in $CSRname_esc`;
+                       $res=shell_exec("openssl spkac -verify -in $CSRname_esc");
                        if(!strstr($res,"Challenge String: ".$challenge))
                        {
                                $id = $oldid;
@@ -1613,7 +1613,7 @@ function buildSubjectFromSession() {
                        $tmpname = tempnam("/tmp", "id17csr");
                        $tmpfname_esc = escapeshellarg($tmpfname);
                        $tmpname_esc = escapeshellarg($tmpname);
-                       $do = `/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc`;
+                       $do = shell_exec("/usr/bin/openssl req -in $tmpfname_esc -out $tmpname_esc");
                        @unlink($tmpfname);
                        $csr = "";
                        $fp = fopen($tmpname, "r");
@@ -1867,8 +1867,8 @@ function buildSubjectFromSession() {
                fputs($fp, $CSR);
                fclose($fp);
                $CSR = escapeshellarg($_SESSION['_config']['tmpfname']);
-               $_SESSION['_config']['subject'] = trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep "Subject:"`);
-               $bits = explode(",", trim(`/usr/bin/openssl req -text -noout -in $CSR |tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
+               $_SESSION['_config']['subject'] = trim(shell_exec("/usr/bin/openssl req -text -noout -in $CSR |tr -d \"\\0\"|grep \"Subject:\""));
+               $bits = explode(",", trim(shell_exec("/usr/bin/openssl req -text -noout -in $CSR |tr -d \"\\0\"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:")));
                foreach($bits as $val)
                {
                        $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@@ -2091,7 +2091,7 @@ function buildSubjectFromSession() {
                                } else {
                                        $drow = mysql_fetch_assoc($res);
                                        $crtname = escapeshellarg($drow['crt_name']);
-                                       $cert = `/usr/bin/openssl x509 -in $crtname`;
+                                       $cert = shell_exec("/usr/bin/openssl x509 -in $crtname");
                                        echo "<pre>\n$cert\n</pre>\n";
                                }
                        }
@@ -2812,8 +2812,8 @@ function buildSubjectFromSession() {
        {
                $CSR = clean_csr($CSR);
                $_SESSION['_config']['CSR'] = $CSR;
-               $_SESSION['_config']['subject'] = trim(`echo "$CSR"|/usr/bin/openssl req -text -noout|tr -d "\\0"|grep "Subject:"`);
-               $bits = explode(",", trim(`echo "$CSR"|/usr/bin/openssl req -text -noout|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
+               $_SESSION['_config']['subject'] = trim(shell_exec("echo \"$CSR\"|/usr/bin/openssl req -text -noout|tr -d \"\\0\"|grep \"Subject:\""));
+               $bits = explode(",", trim(shell_exec("echo \"$CSR\"|/usr/bin/openssl req -text -noout|tr -d \"\\0\"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:")));
                foreach($bits as $val)
                {
                        $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
@@ -2837,8 +2837,8 @@ function buildSubjectFromSession() {
        if($process != "" && $oldid == 46)
        {
                $CSR = clean_csr($_SESSION['_config']['CSR']);
-               $_SESSION['_config']['subject'] = trim(`echo "$CSR"|/usr/bin/openssl req -text -noout|tr -d "\\0"|grep "Subject:"`);
-               $bits = explode(",", trim(`echo "$CSR"|/usr/bin/openssl req -text -noout|tr -d "\\0"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:`));
+               $_SESSION['_config']['subject'] = trim(shell_exec("echo \"$CSR\"|/usr/bin/openssl req -text -noout|tr -d \"\\0\"|grep \"Subject:\""));
+               $bits = explode(",", trim(shell_exec("echo \"$CSR\"|/usr/bin/openssl req -text -noout|tr -d \"\\0\"|grep -A1 'X509v3 Subject Alternative Name:'|grep DNS:")));
                foreach($bits as $val)
                {
                        $_SESSION['_config']['subject'] .= "/subjectAltName=".trim($val);
index 854aab4..02b559b 100644 (file)
                //echo "Points due to name matches: $points<br/>";
 
                $shellpwd = escapeshellarg($pwd);
-               $do = `grep -F -- $shellpwd /usr/share/dict/american-english`;
+               $do = shell_exec("grep -F -- $shellpwd /usr/share/dict/american-english");
                if($do)
                        $points--;
 
                $fp = fopen($tmpfname, "w");
                fputs($fp, $message);
                fclose($fp);
-               $do = `/usr/bin/gpg --homedir /home/gpg --clearsign "$tmpfname"|/usr/sbin/sendmail "$to"`;
+               $do = shell_exec("/usr/bin/gpg --homedir /home/gpg --clearsign \"$tmpfname\"|/usr/sbin/sendmail ".escapeshellarg($to));
                @unlink($tmpfname);
        }
 
                {
                        list($username,$domain)=explode('@',$email,2);
                        $dom = escapeshellarg($domain);
-                       $line = trim(`dig +short MX $dom 2>&1`);
+                       $line = trim(shell_exec("dig +short MX $dom 2>&1"));
 #echo $email."-$dom-$line-\n";
-#echo `dig +short mx heise.de 2>&1`."-<br>\n";
+#echo shell_exec("dig +short mx heise.de 2>&1")."-<br>\n";
 
                        $list = explode("\n", $line);
                        foreach($list as $row) {
index 6cd3115..405cb44 100644 (file)
@@ -30,7 +30,7 @@
        }
        $row = mysql_fetch_assoc($res);
         $crtname=escapeshellarg($row['crt_name']);
-       $cert = `/usr/bin/openssl x509 -in $crtname`;
+       $cert = shell_exec("/usr/bin/openssl x509 -in $crtname");
 ?>
 <h3><?=_("Below is your Server Certificate")?></h3>
 <pre>
index 6a2749c..959111f 100644 (file)
@@ -31,7 +31,7 @@
        }
        $row = mysql_fetch_assoc($res);
         $crtname=escapeshellarg($row['crt_name']);
-       $cert = `/usr/bin/openssl x509 -in $crtname`;
+       $cert = shell_exec("/usr/bin/openssl x509 -in $crtname");
 
        if($row['keytype'] == "NS")
        {
index 4ec56c3..4255b47 100644 (file)
@@ -30,7 +30,7 @@
        }
        $row = mysql_fetch_assoc($res);
         $crtname=escapeshellarg($row['crt_name']);
-       $cert = `/usr/bin/openssl x509 -in $crtname`;
+       $cert = shell_exec("/usr/bin/openssl x509 -in $crtname");
 ?>
 <h3><?=_("Below is your Server Certificate")?></h3>
 <pre>
index 305fccb..de8d1a3 100644 (file)
@@ -60,7 +60,7 @@ if (array_key_exists('format', $_REQUEST)) {
        }
 
        $crtname=escapeshellarg($row['crt_name']);
-       $cert = `/usr/bin/openssl x509 -in $crtname $outform`;
+       $cert = shell_exec("/usr/bin/openssl x509 -in $crtname $outform");
 
        header("Content-Type: application/pkix-cert");
        header("Content-Length: ".strlen($cert));
@@ -82,7 +82,7 @@ if (array_key_exists('format', $_REQUEST)) {
        } else {
                // All other browsers
                $crtname=escapeshellarg($row['crt_name']);
-               $cert = `/usr/bin/openssl x509 -in $crtname -outform DER`;
+               $cert = shell_exec("/usr/bin/openssl x509 -in $crtname -outform DER");
 
                header("Content-Type: application/x-x509-user-cert");
                header("Content-Length: ".strlen($cert));
@@ -111,7 +111,7 @@ if (array_key_exists('format', $_REQUEST)) {
 
        // Allow to directly copy and paste the cert in PEM format
        $crtname=escapeshellarg($row['crt_name']);
-       $cert = `/usr/bin/openssl x509 -in $crtname -outform PEM`;
+       $cert = shell_exec("/usr/bin/openssl x509 -in $crtname -outform PEM");
        echo "<pre>$cert</pre>";
 
        ?>
index b223168..3bfe55a 100644 (file)
@@ -75,7 +75,7 @@ require_once '../../includes/lib/check_weak_key.php';
        fclose($fp);
        $incsr_esc = escapeshellarg($incsr);
        $checkedcsr_esc = escapeshellarg($checkedcsr);
-       $do = `/usr/bin/openssl req -in $incsr_esc -out $checkedcsr_esc`;
+       $do = shell_exec("/usr/bin/openssl req -in $incsr_esc -out $checkedcsr_esc");
        @unlink($incsr);
        if(filesize($checkedcsr) <= 0)
                die("404,Invalid or missing CSR");
@@ -97,7 +97,7 @@ require_once '../../includes/lib/check_weak_key.php';
        foreach($emails as $emailid => $email)
                mysql_query("insert into `emaillink` set `emailcertsid`='$certid', `emailid`='".intval($emailid)."'");
 
-       $do = `../../scripts/runclient`;
+       $do = shell_exec("../../scripts/runclient");
        sleep(10); // THIS IS BROKEN AND SHOULD BE FIXED
        $query = "select * from `emailcerts` where `id`='$certid' and `crt_name` != ''";
        $res = mysql_query($query);
index 263c1d3..72c28b8 100644 (file)
@@ -106,7 +106,7 @@ function verifyEmail($email)
                                        clean_gpgcsr($CSR),
                                        $gpg);
 
-                       `rm -r $tmpdir`;
+                       shell_exec("rm -r $tmpdir");
                }
 
                if ($err)
@@ -334,7 +334,7 @@ function verifyEmail($email)
 
 
                $cmd_keyid = escapeshellarg($keyid);
-               $gpg = trim(`gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $cmd_keyid 2>&1`);
+               $gpg = trim(shell_exec("gpg --homedir $cwd --with-colons --fixed-list-mode --list-keys $cmd_keyid 2>&1"));
                $lines = "";
                $gpgarr = explode("\n", $gpg);
                foreach($gpgarr as $line)
@@ -519,7 +519,7 @@ function verifyEmail($email)
 
                $csrname=generatecertpath("csr","gpg",$insert_id);
                $cmd_keyid = escapeshellarg($keyid);
-               $do=`gpg --homedir $cwd --batch --export-options export-minimal --export $cmd_keyid >$csrname`;
+               $do=shell_exec("gpg --homedir $cwd --batch --export-options export-minimal --export $cmd_keyid >$csrname");
 
                mysql_query("update `gpg` set `csr`='$csrname' where `id`='$insert_id'");
                waitForResult('gpg', $insert_id);