View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001200 | Main CAcert Website | GPG/PGP | public | 2013-08-03 15:41 | 2014-02-22 07:21 |
| Reporter | ansgar | Assigned To | BenBE | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | 2013 Q3 | ||||
| Target Version | 2013 Q3 | Fixed in Version | 2013 Q3 | ||
| Summary | 0001200: uses configuration files from world-writable directory | ||||
| Description | From www/gpg.php: ---- $debugpg = $gpg = trim(`gpg --with-colons --homedir /tmp 2>&1 < $tnam`); ---- Besides `...` always being bad, one shouldn't trust configuration files from a world-writable location such as /tmp. Also the output of this command is fully controlled by the input and shouldn't be trusted at all. Ansgar | ||||
| Tags | No tags attached. | ||||
| Reviewed by | NEOatNHNG, BenBE | ||||
| Test Instructions | |||||
|
|
I have adjusted the code so that a freshly created temporary directory is used a gpg homedir instead of just /tmp/ which should avoid users giving a false configuration file. Also I rewrote the code so that it doesn't store the key into a temporary file on disk but uses the STDIN directly (which should avoid any remaining race conditions and is more efficient). Please test and review. |
|
|
Patch generally okay, but I'd be more confident about this if proper validation of the returned directory name (does it exist and suffice the pattern?) was done. Also The removal of the temporary directory should be monitored properly to report failed cleanups to the error log. |
|
|
While trying to create a new gpg key I get this error statement: There was an error parsing your key. =>fail |
|
|
There was also a missing $ sign in one condition which is now fixed. Please try again. |
|
|
The error still exists: While trying to ctreate a new gpg key I get this error statement: There was an error parsing your key. =>fail |
|
|
Now it works. I could create a GPG-Key =>ok |
|
|
Now Works i got a signed GPG-key => ok |
|
|
Mail sent to critical admins. |
|
|
The patch has been installed on the production server on August 29, 2013. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2013-08/msg00005.html |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2013-08-03 15:41 | ansgar | New Issue | |
| 2013-08-06 20:06 | BenBE | Assigned To | => BenBE |
| 2013-08-06 20:06 | BenBE | Status | new => confirmed |
| 2013-08-06 20:06 | BenBE | Product Version | => 2013 Q3 |
| 2013-08-06 23:50 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable ddfbfc34 |
| 2013-08-06 23:50 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 79a582ee |
| 2013-08-07 00:53 | NEOatNHNG | Reviewed by | => NEOatNHNG |
| 2013-08-07 00:53 | NEOatNHNG | Note Added: 0004216 | |
| 2013-08-07 00:53 | NEOatNHNG | Status | confirmed => needs review & testing |
| 2013-08-07 00:55 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 49c75d71 |
| 2013-08-07 00:55 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable 359e6dac |
| 2013-08-07 01:10 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable cd10afce |
| 2013-08-07 01:10 | NEOatNHNG | Source_changeset_attached | => cacert-devel testserver-stable a733a971 |
| 2013-08-07 20:12 | BenBE | Note Added: 0004218 | |
| 2013-08-07 20:31 | INOPIAE | Note Added: 0004220 | |
| 2013-08-07 20:31 | INOPIAE | Note Edited: 0004220 | |
| 2013-08-08 05:50 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable 74d4bb0d |
| 2013-08-08 05:50 | BenBE | Source_changeset_attached | => cacert-devel testserver-stable be962501 |
| 2013-08-08 05:53 | BenBE | Note Added: 0004221 | |
| 2013-08-09 05:13 | INOPIAE | Note Edited: 0004220 | |
| 2013-08-09 05:13 | INOPIAE | Note Added: 0004223 | |
| 2013-08-10 03:44 | INOPIAE | Note Added: 0004225 | |
| 2013-08-13 20:50 | MartinGummi | Note Added: 0004226 | |
| 2013-08-13 20:57 | BenBE | Reviewed by | NEOatNHNG => NEOatNHNG, BenBE |
| 2013-08-13 20:57 | BenBE | Status | needs review & testing => ready to deploy |
| 2013-08-13 20:57 | BenBE | Target Version | => 2013 Q3 |
| 2013-08-25 22:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel release e40fba18 |
| 2013-08-25 22:45 | NEOatNHNG | Note Added: 0004253 | |
| 2013-08-29 10:28 | wytze | Note Added: 0004263 | |
| 2013-08-29 10:28 | wytze | Status | ready to deploy => solved? |
| 2013-08-29 10:28 | wytze | Fixed in Version | => 2013 Q3 |
| 2013-08-29 10:28 | wytze | Resolution | open => fixed |
| 2013-09-10 17:48 | Uli60 | Relationship added | related to 0001206 |
| 2013-11-20 22:21 | NEOatNHNG | View Status | private => public |
| 2014-02-22 07:21 | INOPIAE | Status | solved? => closed |
