View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001439 | Main CAcert Website | misc | public | 2018-05-13 19:14 | 2018-11-01 21:12 |
Reporter | Ted | Assigned To | egal | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | fix available | Resolution | open | ||
Summary | 0001439: Changes needed for cats_import.php for new PHP version | ||||
Description | As noticed by Wytze, the old version of cats_import.php seems not to work with the updated OS (Debian Jessie). Obviously the format of the server variable SSL_CLIENT_S_DN has changed, so matching the Upload DN does not work anymore. Wytze has installed a hotfix to get the CATS result upload working again, but there is also another issue here when checking for the DN, the check should make sure that the complete emailAddress field is checked, the current check could probably be fooled by a certificate issued for cats@cacert.org.evildomain.com. I guess that was the intention of the reviewer's comment, but it looks like I did not get it then... :-( | ||||
Additional Information | Complete mail from Wytze: Hi Ted, Since we have upgraded the CAcert chroot application environment to Debian Jessie on the webdb production server, it appears that import from CATS does not work anymore. I noticed these messages in the errorlog: [Sun Apr 29 06:35:01.458559 2018] [:error] [pid 17899] [client 213.154.225.243:59570] PHP Fatal error: Unauthorized access: ip(213.154.225.243) server(secure.cacert.org) https(on) cert(emailAddress=cats@cacert.org,CN=CAcert WoT User) in /www/www/cats/cats_import.php on line 60 Looking at the code, it seems that the match for the email address in the presented certificate is failing. Somehow with the new PHP version the / is no longer appearing in front of emailAddress=cats@cacert.org. I have made the following tentative fix: wytze@webdb:/home/cacert/www/www/cats$ cvs diff -u cats_import.php Index: cats_import.php =================================================================== RCS file: /var/lib/cvs/cacert/www/cats/cats_import.php,v retrieving revision 1.7 diff -u -r1.7 cats_import.php --- cats_import.php 10 Jun 2012 09:10:54 -0000 1.7 +++ cats_import.php 5 May 2018 08:11:52 -0000 @@ -48,7 +48,7 @@ $https == 'on' && // Comment (to be romeved): better to use preg_match matching the end of the line (since this is on the end of the line right?) // Ted: Is this specified? I don't think so, therefore I'd keep stristr - strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0 + strlen(stristr($ssl_client_s_dn, 'emailAddress=cats@cacert.org')) > 0 ) $access = TRUE; if ($access !== TRUE) { wytze@webdb:/home/cacert/www/www/cats$ and this restored operation of the CATS upload operation. Can you provide us with an official checkin request for this change, so it gets recorded in the CVS tree? Regards, -- wytze | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
|
Checked in branch bug-1439 to Github. Maybe it has to be merged into the repository of git.cacert.org... |
|
Dirk, since I wrote the patch I really cannot review it myself. Can you give a try? And maybe we can try the "two developer reviews replave one Assessor review" variant? |
|
The issue also has to be tested. To test on the testerver I'll have to get the test-CATS-upload running again... |
Date Modified | Username | Field | Change |
---|---|---|---|
2018-05-13 19:14 | Ted | New Issue | |
2018-05-14 13:25 | wytze | View Status | private => public |
2018-05-14 20:32 | Ted | Assigned To | => Ted |
2018-05-14 20:32 | Ted | Status | new => fix available |
2018-05-14 20:32 | Ted | Note Added: 0005589 | |
2018-11-01 21:08 | Ted | Assigned To | Ted => egal |
2018-11-01 21:10 | Ted | Note Added: 0005636 | |
2018-11-01 21:12 | Ted | Note Added: 0005637 |