From 6ee717361a98eb2d163dbbe5817443fbe2b9db76 Mon Sep 17 00:00:00 2001 From: Jamie Cameron Date: Fri, 20 Dec 2013 15:14:22 -0800 Subject: [PATCH] strict conversion and download sanity check --- acl/cert_form.cgi | 7 ++++-- acl/cert_issue.cgi | 56 ++++++++++++++++++++++++--------------------- acl/cert_output.cgi | 20 +++++++++------- acl/lang/en | 1 + 4 files changed, 48 insertions(+), 36 deletions(-) diff --git a/acl/cert_form.cgi b/acl/cert_form.cgi index 0006d3684..1666c0904 100755 --- a/acl/cert_form.cgi +++ b/acl/cert_form.cgi @@ -1,9 +1,12 @@ #!/usr/local/bin/perl # cert_form.cgi +use strict; +use warnings; require './acl-lib.pl'; -&ui_print_header(undef, $text{'cert_title'}, "", undef, undef, undef, undef, undef, undef, - "language=VBSCRIPT onload='postLoad()'"); +our (%in, %text, %config, %access); +&ui_print_header(undef, $text{'cert_title'}, "", undef, undef, undef, undef, + undef, undef, "language=VBSCRIPT onload='postLoad()'"); eval "use Net::SSLeay"; print "

$text{'cert_msg'}

\n"; diff --git a/acl/cert_issue.cgi b/acl/cert_issue.cgi index b0b736b35..77be5ede1 100755 --- a/acl/cert_issue.cgi +++ b/acl/cert_issue.cgi @@ -1,49 +1,53 @@ #!/usr/local/bin/perl # cert_issue.cgi +use strict; +use warnings; require './acl-lib.pl'; +our (%in, %text, %config, %access, $module_config_directory, $base_remote_user); &ReadParse(); &error_setup($text{'cert_err'}); $in{'key'} || &error($text{'cert_ekey'}); + +my %miniserv; &get_miniserv_config(\%miniserv); # Create the new key -$temp1 = &transname(); -$temp2 = &tempname(); -open(IN, ">$temp1"); -foreach $k ("emailAddress", "organizationalUnitName", "organizationName", - "stateOrProvinceName", "countryName", "commonName") { - print IN "$k = $in{$k}\n"; +my $temp1 = &transname(); +my $temp2 = &tempname(); +my $fh = "IN"; +&open_tempfile($fh, ">$temp1"); +foreach my $k ("emailAddress", "organizationalUnitName", "organizationName", + "stateOrProvinceName", "countryName", "commonName") { + &print_tempfile($fh, "$k = $in{$k}\n"); } $in{'key'} =~ s/\s//g; -print IN "SPKAC = $in{'key'}\n"; -close(IN); -$cmd = &get_ssleay(); -$ssleay = &backquote_logged("$cmd ca -spkac $temp1 -out $temp2 -config $module_config_directory/openssl.cnf -days 1095 2>&1"); -unlink($temp1); +&print_tempfile($fh, "SPKAC = $in{'key'}\n"); +&close_tempfile($fh); +my $cmd = &get_ssleay(); +my $ssleay = &backquote_logged("$cmd ca -spkac $temp1 -out $temp2 -config $module_config_directory/openssl.cnf -days 1095 2>&1"); +&unlink_file($temp1); if ($?) { &error("

$ssleay
"); } else { # Display status and redirect to actual cert file - $| = 1; - &ui_print_header(undef, $text{'cert_title'}, ""); - print "

",&text('cert_done', $in{'commonName'}),"

\n"; - print "",&text('cert_pickup', "cert_output.cgi?file=$temp2"),"

\n"; + &ui_print_unbuffered_header(undef, $text{'cert_title'}, ""); + print &text('cert_done', $in{'commonName'}),"

\n"; + print &text('cert_pickup', "cert_output.cgi?file=$temp2"),"

\n"; &ui_print_footer("", $text{'index_return'}); - # Update the miniserv users file - &lock_file($miniserv{'userfile'}); - $lref = &read_file_lines($miniserv{'userfile'}); - foreach $l (@$lref) { - @u = split(/:/, $l); - if ($u[0] eq $base_remote_user) { - $l = "$u[0]:$u[1]:$u[2]:/C=$in{'countryName'}/ST=$in{'stateOrProvinceName'}/O=$in{'organizationName'}/OU=$in{'organizationalUnitName'}/CN=$in{'commonName'}/Email=$in{'emailAddress'}"; - } - } - &flush_file_lines(); - &unlock_file($miniserv{'userfile'}); + # Update the Webmin user + my ($me) = grep { $_->{'name'} eq $base_remote_user } &list_users(); + $me || &error($text{'edit_egone'}); + $me->{'cert'} = "/C=$in{'countryName'}". + "/ST=$in{'stateOrProvinceName'}". + "/O=$in{'organizationName'}". + "/OU=$in{'organizationalUnitName'}". + "/CN=$in{'commonName'}". + "/Email=$in{'emailAddress'}"; + &modify_user($me->{'name'}, $me); sleep(1); &restart_miniserv(); diff --git a/acl/cert_output.cgi b/acl/cert_output.cgi index a7cb7e8f8..9314763a3 100755 --- a/acl/cert_output.cgi +++ b/acl/cert_output.cgi @@ -1,13 +1,17 @@ #!/usr/local/bin/perl # cert_issue.cgi +use strict; +use warnings; require './acl-lib.pl'; -&ReadParse(); -print "Content-type: application/x-x509-user-cert\n\n"; -open(OUT, $in{'file'}); -while() { - print; - } -close(OUT); -unlink($in{'file'}); +our (%in, %text, %config, %access); + +&ReadParse(); +my $tempdir = &tempname(); +$tempdir =~ s/\/[^\/]+$//; +&is_under_directory($tempdir, $in{'file'}) || + &error($text{'cert_etempdir'}); +print "Content-type: application/x-x509-user-cert\n\n"; +print &read_file_contents($in{'file'}); +&unlink_file($in{'file'}); diff --git a/acl/lang/en b/acl/lang/en index 2bc5e935f..b6507000e 100644 --- a/acl/lang/en +++ b/acl/lang/en @@ -164,6 +164,7 @@ cert_install=Install your certificate into browser cert_ekey=A new SSL key was not submitted by your browser - maybe it does not support SSL client certificates. cert_eca=Failed to setup certificate authority : $1 cert_already=Warning - you are already using the certificate $1. +cert_etempdir=Invalid certificate file acl_title=Module Access Control acl_title2=For $1 in $2