View Issue Details

IDProjectCategoryView StatusLast Update
0001439Main CAcert Websitemiscpublic2018-11-01 21:12
ReporterTed Assigned Toegal  
PrioritynormalSeveritymajorReproducibilityalways
Status fix availableResolutionopen 
Summary0001439: Changes needed for cats_import.php for new PHP version
DescriptionAs noticed by Wytze, the old version of cats_import.php seems not to work with the updated OS (Debian
Jessie). Obviously the format of the server variable SSL_CLIENT_S_DN has changed, so matching the Upload DN does not work anymore.

Wytze has installed a hotfix to get the CATS result upload working again, but there is also another issue here when checking for the DN, the check should make sure that the complete emailAddress field is checked, the current check could probably be fooled by a certificate issued for cats@cacert.org.evildomain.com. I guess that was the intention of the reviewer's comment, but it looks like I did not get it then... :-(
Additional InformationComplete mail from Wytze:

Hi Ted,

Since we have upgraded the CAcert chroot application environment to Debian
Jessie on the webdb production server, it appears that import from CATS
does not work anymore. I noticed these messages in the errorlog:

[Sun Apr 29 06:35:01.458559 2018] [:error] [pid 17899] [client
213.154.225.243:59570] PHP Fatal error: Unauthorized access:
ip(213.154.225.243) server(secure.cacert.org) https(on)
cert(emailAddress=cats@cacert.org,CN=CAcert WoT User) in
/www/www/cats/cats_import.php on line 60

Looking at the code, it seems that the match for the email address in
the presented certificate is failing. Somehow with the new PHP version
the / is no longer appearing in front of emailAddress=cats@cacert.org.

I have made the following tentative fix:

wytze@webdb:/home/cacert/www/www/cats$ cvs diff -u cats_import.php
Index: cats_import.php
===================================================================
RCS file: /var/lib/cvs/cacert/www/cats/cats_import.php,v
retrieving revision 1.7
diff -u -r1.7 cats_import.php
--- cats_import.php 10 Jun 2012 09:10:54 -0000 1.7
+++ cats_import.php 5 May 2018 08:11:52 -0000
@@ -48,7 +48,7 @@
  $https == 'on' &&
  // Comment (to be romeved): better to use preg_match matching the end of the
line (since this is on the end of the line right?)
  // Ted: Is this specified? I don't think so, therefore I'd keep stristr
- strlen(stristr($ssl_client_s_dn, '/emailAddress=cats@cacert.org')) > 0
+ strlen(stristr($ssl_client_s_dn, 'emailAddress=cats@cacert.org')) > 0
 ) $access = TRUE;

 if ($access !== TRUE) {
wytze@webdb:/home/cacert/www/www/cats$

and this restored operation of the CATS upload operation.

Can you provide us with an official checkin request for this change,
so it gets recorded in the CVS tree?

Regards,
-- wytze
TagsNo tags attached.
Reviewed by
Test Instructions

Activities

Ted

2018-05-14 20:32

administrator   ~0005589

Checked in branch bug-1439 to Github. Maybe it has to be merged into the repository of git.cacert.org...

Ted

2018-11-01 21:10

administrator   ~0005636

Dirk, since I wrote the patch I really cannot review it myself. Can you give a try? And maybe we can try the "two developer reviews replave one Assessor review" variant?

Ted

2018-11-01 21:12

administrator   ~0005637

The issue also has to be tested. To test on the testerver I'll have to get the test-CATS-upload running again...

Issue History

Date Modified Username Field Change
2018-05-13 19:14 Ted New Issue
2018-05-14 13:25 wytze View Status private => public
2018-05-14 20:32 Ted Assigned To => Ted
2018-05-14 20:32 Ted Status new => fix available
2018-05-14 20:32 Ted Note Added: 0005589
2018-11-01 21:08 Ted Assigned To Ted => egal
2018-11-01 21:10 Ted Note Added: 0005636
2018-11-01 21:12 Ted Note Added: 0005637