Subject: CAcert Code Development list.
List archive
- From: Wytze van der Raay <wytze AT cacert.org>
- To: Benny Baumann <benbe AT cacert.org>
- Cc: "critical-admin AT cacert.org" <critical-admin AT cacert.org>, cacert-devel AT lists.cacert.org, 'dirk astrath' <dirk.astrath AT cacert.org>, Michael Tänzer <michael.taenzer AT cacert.org>, Martin Gummi <martin.gummi AT cacert.org>, Marcus Mängel <inopiae AT cacert.org>, Ulrich Schröter <ulrich AT cacert.org>, Juergen Bruckner <jbruckner AT cacert.org>
- Subject: Re: Patch Request Bug #782, #1173, #1176, #1186
- Date: Mon, 15 Jul 2013 11:14:39 +0200
- Organization: CAcert
|
Hi Benny,
Op 12-7-2013 22:04, Benny Baumann schreef: we have patches for various bug reports: The patches for #1176, #1186 and #1173 have been installed in the production server on July 15, 2013. See also the attached log messages which have been sent out to cacert-systemlog AT lists.cacert.org. In addition the requested translation update actions have been performed. The patch for #782 has been rejected, because it could not be installed cleanly on the production server. The diffs provided for the file includes/account.php did not fully match the production version of this file. See the attached logs for details of the failure. In order to back out the (partial) application of this broken patch, the web service on the production server has been taken offline for a few minutes. Please resubmit a fixed version of this patch after verifying it against the current production source code. Regards, -- wytze |
patching file account.php
Hunk #2 succeeded at 240 (offset -1 lines).
Hunk #3 succeeded at 328 (offset -1 lines).
Hunk #4 succeeded at 340 (offset -1 lines).
Hunk #5 succeeded at 373 (offset -1 lines).
Hunk #6 succeeded at 429 (offset -1 lines).
Hunk #7 succeeded at 464 (offset -1 lines).
Hunk #8 succeeded at 671 with fuzz 2 (offset -1 lines).
Hunk #9 FAILED at 684.
Hunk #10 succeeded at 749 (offset -1 lines).
Hunk #11 FAILED at 785.
Hunk #12 succeeded at 872 with fuzz 1 (offset -1 lines).
Hunk #13 succeeded at 1011 (offset -1 lines).
Hunk #14 succeeded at 1067 (offset -1 lines).
Hunk #15 succeeded at 1167 (offset -1 lines).
Hunk #16 succeeded at 1224 (offset -1 lines).
Hunk #17 succeeded at 1442 (offset -1 lines).
Hunk #18 succeeded at 1478 (offset -1 lines).
Hunk #19 succeeded at 1530 (offset -1 lines).
Hunk #20 succeeded at 1547 (offset -1 lines).
Hunk #21 succeeded at 1560 (offset -1 lines).
Hunk #22 succeeded at 1638 (offset -1 lines).
Hunk #23 succeeded at 1714 with fuzz 1 (offset -1 lines).
Hunk #24 succeeded at 1807 (offset -1 lines).
Hunk #25 FAILED at 1839.
Hunk #26 succeeded at 1913 (offset -1 lines).
Hunk #27 FAILED at 1962.
Hunk #28 succeeded at 2053 with fuzz 2 (offset -1 lines).
Hunk #29 succeeded at 2155 (offset -1 lines).
Hunk #30 FAILED at 2565.
Hunk #31 succeeded at 2574 (offset -1 lines).
Hunk #32 succeeded at 2832 (offset -1 lines).
5 out of 32 hunks FAILED -- saving rejects to file account.php.rej
--- account.php
+++ account.php
@@ -684,6 +691,12 @@
exit;
}
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']=
trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
+
$_SESSION['_config']['tmpfname'] = tempnam("/tmp", "id10CSR");
$fp = fopen($_SESSION['_config']['tmpfname'], "w");
fputs($fp, $CSR);
@@ -785,13 +798,15 @@
`CN`='".mysql_real_escape_string($_SESSION['_config']['rows']['0'])."',
`domid`='".mysql_real_escape_string($_SESSION['_config']['rowid']['0'])."',
`created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
-
`rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."'";
+
`rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
+
`description`='".$_SESSION['_config']['description']."'";
} elseif(array_key_exists('0',$_SESSION['_config']['altid'])
&& $_SESSION['_config']['altid']['0'] > 0) {
$query = "insert into `domaincerts` set
`CN`='".mysql_real_escape_string($_SESSION['_config']['altrows']['0'])."',
`domid`='".mysql_real_escape_string($_SESSION['_config']['altid']['0'])."',
`created`=NOW(),`subject`='".mysql_real_escape_string($subject)."',
-
`rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."'";
+
`rootcert`='".mysql_real_escape_string($_SESSION['_config']['rootcert'])."',
+
`description`='".$_SESSION['_config']['description']."'";
} else {
showheader(_("My CAcert.org Account!"));
echo _("Domain not verified.");
@@ -1839,6 +1930,12 @@
exit;
}
+ if(trim($_REQUEST['description']) != ""){
+ $_SESSION['_config']['description']=
trim(mysql_real_escape_string(stripslashes($_REQUEST['description'])));
+ }else{
+ $_SESSION['_config']['description']= "";
+ }
+
$_SESSION['_config']['tmpfname'] = tempnam("/tmp", "id20CSR");
$fp = fopen($_SESSION['_config']['tmpfname'], "w");
fputs($fp, $CSR);
@@ -1962,25 +2059,27 @@
if($_SESSION['_config']['rootcert'] < 1 ||
$_SESSION['_config']['rootcert'] > 2)
$_SESSION['_config']['rootcert'] = 1;
- if($_SESSION['_config']['rowid']['0'] > 0)
- {
- $query = "insert into `orgdomaincerts` set
-
`CN`='".$_SESSION['_config']['rows']['0']."',
- `orgid`='".$org['id']."',
- `created`=NOW(),
- `subject`='$csrsubject',
-
`rootcert`='".$_SESSION['_config']['rootcert']."',
- `type`='$type'";
- } else {
- $query = "insert into `orgdomaincerts` set
-
`CN`='".$_SESSION['_config']['altrows']['0']."',
- `orgid`='".$org['id']."',
- `created`=NOW(),
- `subject`='$csrsubject',
-
`rootcert`='".$_SESSION['_config']['rootcert']."',
- `type`='$type'";
- }
- mysql_query($query);
+ if($_SESSION['_config']['rowid']['0'] > 0)
+ {
+ $query = "insert into `orgdomaincerts` set
+
`CN`='".$_SESSION['_config']['rows']['0']."',
+ `orgid`='".$org['id']."',
+ `created`=NOW(),
+ `subject`='$csrsubject',
+
`rootcert`='".$_SESSION['_config']['rootcert']."',
+ `type`='$type',
+
`description`='".$_SESSION['_config']['description']."'";
+ } else {
+ $query = "insert into `orgdomaincerts` set
+
`CN`='".$_SESSION['_config']['altrows']['0']."',
+ `orgid`='".$org['id']."',
+ `created`=NOW(),
+ `subject`='$csrsubject',
+
`rootcert`='".$_SESSION['_config']['rootcert']."',
+ `type`='$type',
+
`description`='".$_SESSION['_config']['description']."'";
+ }
+ mysql_query($query);
$CSRid = mysql_insert_id();
$CSRname=generatecertpath("csr","orgserver",$CSRid);
@@ -2565,7 +2683,7 @@
}
if($oldid == 54 || ($id == 53 && array_key_exists('action',$_REQUEST)
&& $_REQUEST['action'] != "") ||
- ($id == 54 && array_key_exists('action',$_REQUEST) &&
$_REQUEST['action'] != "" &&
+ ($id == 54 && array_key_exists('action',$_REQUEST) &&
$_REQUEST['action'] != "" &&
$_REQUEST['action'] != "aliases" &&
$_REQUEST['action'] != "edit" && $_REQUEST['action'] != "add"))
{
$id = 53;
--- Begin Message ---Fix for http://bugs.cacert.org/view.php?id=1176
- From: Wytze van der Raay <wytze AT cacert.org>
- To: cacert-systemlog AT lists.cacert.org
- Subject: Fwd: cvs.cacert.org checkin notification
- Date: Mon, 15 Jul 2013 10:54:21 +0200
- Organization: CAcert
fix deprecation messages due to PHP update.
In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php
-- end
--- Begin Message ---
- From: "root" <root AT cvs.cacert.org>
- To: critical-admin AT cacert.org
- Subject: cvs.cacert.org checkin notification
- Date: Mon, 15 Jul 2013 10:32:02 +0200 (CEST)
uid=0(root) gid=0(root) groups=0(root)
general.php 1.97 1.98 loggedin.php 1.20 1.21
Mon Jul 15 10:32:02 CEST 2013
Update of /var/lib/cvs/cacert/includes
In directory webdb:/home/cacert/www/includes
Modified Files:
general.php loggedin.php
Log Message:
Fix for http://bugs.cacert.org/view.php?id=1176
fix deprecation messages due to PHP update.
===================================================================
RCS file: /var/lib/cvs/cacert/includes/loggedin.php,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- loggedin.php 2012/01/24 14:25:36 1.20
+++ loggedin.php 2013/07/15 08:32:02 1.21
@@ -18,20 +18,29 @@
include_once("../includes/lib/general.php");
require_once("../includes/lib/l10n.php");
+ include_once("../includes/mysql.php");
+
+ if(!isset($_SESSION['profile']) || !is_array($_SESSION['profile'])) {
+ $_SESSION['profile'] = array( 'id' => 0, 'loggedin' => 0 );
+ }
+ if(!isset($_SESSION['profile']['id']) ||
!isset($_SESSION['profile']['loggedin'])) {
+ $_SESSION['profile']['id'] = 0;
+ $_SESSION['profile']['loggedin'] = 0;
+ }
if($_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'] &&
$_SESSION['profile']['id'] > 0 && $_SESSION['profile']['loggedin'] != 0)
{
$uid = $_SESSION['profile']['id'];
$_SESSION['profile']['loggedin'] = 0;
$_SESSION['profile'] = "";
- foreach($_SESSION as $key)
+ foreach($_SESSION as $key => $value)
{
- if($key == '_config')
+ if($key == '_config' || $key == 'mconn' || 'csrf_' ==
substr($key, 0, 5))
continue;
if(is_int($key) || is_string($key))
unset($_SESSION[$key]);
- unset($$key);
- session_unregister($key);
+ unset($$key);
+ //session_unregister($key);
}
$_SESSION['profile'] = mysql_fetch_assoc(mysql_query("select
* from `users` where `id`='$uid'"));
@@ -50,14 +59,14 @@
{
$_SESSION['profile']['loggedin'] = 0;
$_SESSION['profile'] = "";
- foreach($_SESSION as $key)
+ foreach($_SESSION as $key => $value)
{
- if($key == '_config')
+ if($key == '_config' || $key == 'mconn' ||
'csrf_' == substr($key, 0, 5))
continue;
if(is_int($key) || is_string($key))
unset($_SESSION[$key]);
- unset($$key);
- session_unregister($key);
+ unset($$key);
+ //session_unregister($key);
}
$_SESSION['profile'] = mysql_fetch_assoc(mysql_query(
@@ -69,16 +78,16 @@
} else {
$_SESSION['profile']['loggedin'] = 0;
$_SESSION['profile'] = "";
- foreach($_SESSION as $key)
+ foreach($_SESSION as $key => $value)
{
- if($key == '_config')
+ if($key == '_config' || $key == 'mconn' ||
'csrf_' == substr($key, 0, 5))
continue;
- unset($_SESSION[$key]);
- unset($$key);
- session_unregister($key);
+ unset($_SESSION[$key]);
+ unset($$key);
+ //session_unregister($key);
}
- unset($_SESSION['_config']['oldlocation']);
+ $_SESSION['_config']['oldlocation'] = '';
foreach($_GET as $key => $val)
{
@@ -127,9 +136,9 @@
$_SESSION['profile'] = "";
foreach($_SESSION as $key => $value)
{
- unset($_SESSION[$key]);
- unset($$key);
- session_unregister($key);
+ unset($_SESSION[$key]);
+ unset($$key);
+ //session_unregister($key);
}
header("location: https://".$normalhost."/index.php";);
@@ -138,11 +147,11 @@
if($_SESSION['profile']['loggedin'] < 1)
{
- unset($_SESSION['_config']['oldlocation']);
+ $_SESSION['_config']['oldlocation'] = '';
foreach($_REQUEST as $key => $val)
{
- if($_SESSION['_config']['oldlocation'])
+ if('' != $_SESSION['_config']['oldlocation'])
$_SESSION['_config']['oldlocation'] .= "&";
$key = str_replace(array("\n", "\r"), '', $key);
===================================================================
RCS file: /var/lib/cvs/cacert/includes/general.php,v
retrieving revision 1.97
retrieving revision 1.98
diff -u -r1.97 -r1.98
--- general.php 2013/05/15 09:39:34 1.97
+++ general.php 2013/07/15 08:32:01 1.98
@@ -21,10 +21,10 @@
session_name("cacert");
session_start();
- session_register("_config");
- session_register("profile");
- session_register("signup");
- session_register("lostpw");
+// session_register("_config");
+// session_register("profile");
+// session_register("signup");
+// session_register("lostpw");
// if($_SESSION['profile']['id'] > 0)
// session_regenerate_id();
@@ -536,7 +536,7 @@
$myemail = mysql_real_escape_string($email);
if(preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\+\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/"
, $email))
{
- list($username,$domain)=split('@',$email);
+ list($username,$domain)=explode('@',$email,2);
$dom = escapeshellarg($domain);
$line = trim(`dig +short MX $dom 2>&1`);
#echo $email."-$dom-$line-\n";
--- End Message ------ Begin Message ---
- From: "root" <root AT cvs.cacert.org>
- To: critical-admin AT cacert.org
- Subject: cvs.cacert.org checkin notification
- Date: Mon, 15 Jul 2013 10:32:07 +0200 (CEST)
uid=0(root) gid=0(root) groups=0(root)
43.php 1.48 1.49
Mon Jul 15 10:32:07 CEST 2013
Update of /var/lib/cvs/cacert/pages/account
In directory webdb:/home/cacert/www/pages/account
Modified Files:
43.php
Log Message:
Fix for http://bugs.cacert.org/view.php?id=1176
fix deprecation messages due to PHP update.
===================================================================
RCS file: /var/lib/cvs/cacert/pages/account/43.php,v
retrieving revision 1.48
retrieving revision 1.49
diff -u -r1.48 -r1.49
--- 43.php 2013/06/26 11:02:45 1.48
+++ 43.php 2013/07/15 08:32:06 1.49
@@ -35,6 +35,8 @@
if(intval(array_key_exists('userid',$_REQUEST)?$_REQUEST['userid']:0) <= 0)
{
+ $_REQUEST['userid'] = 0;
+
$emailsearch = $email =
mysql_escape_string(stripslashes($_REQUEST['email']));
//Disabled to speed up the queries
@@ -890,17 +892,19 @@
<br><br>
<? } }
-switch ($_GET['shownotary'])
- {
- case 'assuredto': showassuredto();
- break;
- case 'assuredby': showassuredby();
- break;
- case 'assuredto15':
output_received_assurances(intval($_GET['userid']),1);
- break;
- case 'assuredby15':
output_given_assurances(intval($_GET['userid']),1);
- break;
- }
-
-
-?>
+if(isset($_GET['shownotary'])) {
+ switch($_GET['shownotary']) {
+ case 'assuredto':
+ showassuredto();
+ break;
+ case 'assuredby':
+ showassuredby();
+ break;
+ case 'assuredto15':
+ output_received_assurances(intval($_GET['userid']),1);
+ break;
+ case 'assuredby15':
+ output_given_assurances(intval($_GET['userid']),1);
+ break;
+ }
+}
--- End Message ---Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening
--- End Message ---
--- Begin Message ---Fix for http://bugs.cacert.org/view.php?id=1186
- From: Wytze van der Raay <wytze AT cacert.org>
- To: cacert-systemlog AT lists.cacert.org
- Subject: Fwd: cvs.cacert.org checkin notification
- Date: Mon, 15 Jul 2013 10:55:02 +0200
- Organization: CAcert
warning when determining MX records of a domain.
In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php
-- end
--- Begin Message ---
- From: "root" <root AT cvs.cacert.org>
- To: critical-admin AT cacert.org
- Subject: cvs.cacert.org checkin notification
- Date: Mon, 15 Jul 2013 10:35:59 +0200 (CEST)
uid=0(root) gid=0(root) groups=0(root)
general.php 1.98 1.99
Mon Jul 15 10:35:59 CEST 2013
Update of /var/lib/cvs/cacert/includes
In directory webdb:/home/cacert/www/includes
Modified Files:
general.php
Log Message:
Fix for http://bugs.cacert.org/view.php?id=1186
warning when determining MX records of a domain.
===================================================================
RCS file: /var/lib/cvs/cacert/includes/general.php,v
retrieving revision 1.98
retrieving revision 1.99
diff -u -r1.98 -r1.99
--- general.php 2013/07/15 08:32:01 1.98
+++ general.php 2013/07/15 08:35:59 1.99
@@ -543,10 +543,15 @@
#echo `dig +short mx heise.de 2>&1`."-<br>\n";
$list = explode("\n", $line);
- foreach($list as $row)
- list($pri, $mxhosts[]) = explode(" ",
substr(trim($row), 0, -1));
+ foreach($list as $row) {
+ if(!strstr($row, " ")) {
+ continue;
+ }
+ list($pri, $mxhosts[]) = explode(" ",
trim($row), 2);
+ }
$mxhosts[] = $domain;
-#print_r($mxhosts); die;
+ array_walk($mxhosts, function(&$mx) { $mx = trim($mx,
'.'); } );
+
foreach($mxhosts as $key => $domain)
{
$fp = @fsockopen($domain,25,$errno,$errstr,5);
--- End Message ---Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening
--- End Message ---
--- Begin Message ---Fix for http://bugs.cacert.org/view.php?id=1173
- From: Wytze van der Raay <wytze AT cacert.org>
- To: cacert-systemlog AT lists.cacert.org
- Subject: Fwd: cvs.cacert.org checkin notification
- Date: Mon, 15 Jul 2013 10:55:43 +0200
- Organization: CAcert
While email or domain dispute check if the request belongs to a locked
account and stop the process.
In conjunction with the attached CVS changes a new tarball has been
made available incorporating all updates. The new tarball is available
through http://www.cacert.org/src-lic.php
-- end
--- Begin Message ---
- From: "root" <root AT cvs.cacert.org>
- To: critical-admin AT cacert.org
- Subject: cvs.cacert.org checkin notification
- Date: Mon, 15 Jul 2013 10:38:31 +0200 (CEST)
uid=0(root) gid=0(root) groups=0(root)
disputes.php 1.21 1.22
Mon Jul 15 10:38:31 CEST 2013
Update of /var/lib/cvs/cacert/www
In directory webdb:/home/cacert/www/www
Modified Files:
disputes.php
Log Message:
Fix for http://bugs.cacert.org/view.php?id=1173
While email or domain dispute check if the request belongs to a locked account
and stop the process.
===================================================================
RCS file: /var/lib/cvs/cacert/www/disputes.php,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- disputes.php 2013/05/14 09:05:11 1.21
+++ disputes.php 2013/07/15 08:38:31 1.22
@@ -236,6 +236,23 @@
exit;
}
+ //check if email belongs to locked account
+ $res = mysql_query("select 1 from `email`, `users` where
`email`.`email`='$email' and `email`.`memid`=`users`.`id` and
(`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
+ if(mysql_num_rows($res) > 0)
+ {
+ showheader(_("Email Dispute"));
+ printf(_("Sorry, the email address '%s' cannot be
disputed for administrative reasons. To solve this problem please get in
contact with %s."), sanitizeHTML($email),"<a
href='mailto:support AT cacert.org'>support AT cacert.org</a>");
+ $duser=$_SESSION['profile']['fname']."
".$_SESSION['profile']['lname'];
+ $body = sprintf("Someone has just attempted to
dispute this email '%s', which belongs to a locked account:\n".
+ "Username(ID): %s (%s)\n".
+ "email: %s\n".
+ "IP/Hostname: %s\n", $email, $duser,
$_SESSION['profile']['id'], $_SESSION['profile']['email'],
$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:""));
+
sendmail("support AT cacert.org",
"[CAcert.org] failed dispute on locked account", $body,
$_SESSION['profile']['email'], "", "", $duser);
+
+ showfooter();
+ exit;
+ }
+
$res = mysql_query("select * from `disputeemail` where
`email`='$email' and hash!=''");
if(mysql_num_rows($res) > 0)
{
@@ -307,6 +324,23 @@
showfooter();
exit;
}
+
+ //check if domain belongs to locked account
+ $res = mysql_query("select 1 from `domains`, `users` where
`domains`.`domain`='$domain' and `domains`.`memid`=`users`.`id` and
(`users`.`assurer_blocked`=1 or `users`.`locked`=1)");
+ if(mysql_num_rows($res) > 0)
+ {
+ showheader(_("Domain Dispute"));
+ printf(_("Sorry, the domain '%s' cannot be disputed
for administrative reasons. To solve this problem please get in contact with
%s."), sanitizeHTML($domain),"<a
href='mailto:support AT cacert.org'>support AT cacert.org</a>");
+ $duser=$_SESSION['profile']['fname']."
".$_SESSION['profile']['lname'];
+ $body = sprintf("Someone has just attempted to
dispute this domain '%s', which belongs to a locked account:\n".
+ "Username(ID): %s (%s)\n".
+ "email: %s\n".
+ "IP/Hostname: %s\n", $domain, $duser,
$_SESSION['profile']['id'], $_SESSION['profile']['email'],
$_SERVER['REMOTE_ADDR'].(array_key_exists('REMOTE_HOST',$_SERVER)?"/".$_SERVER['REMOTE_HOST']:""));
+
sendmail("support AT cacert.org",
"[CAcert.org] failed dispute on locked account", $body,
$_SESSION['profile']['email'], "", "", $duser);
+
+ showfooter();
+ exit;
+ }
$query = "select * from `disputedomain` where
`domain`='$domain' and hash!=''";
$res = mysql_query($query);
--- End Message ---Attachment: smime.p7s
Description: S/MIME-cryptografische ondertekening
--- End Message ---
Attachment:
smime.p7s
Description: S/MIME-cryptografische ondertekening
- Patch Request Bug #782, #1173, #1176, #1186, Benny Baumann, 07/12/2013
- Re: Patch Request Bug #782, #1173, #1176, #1186, Wytze van der Raay, 07/15/2013
- Re: Patch Request Bug #782, #1173, #1176, #1186, Wytze van der Raay, 07/17/2013
Archive powered by MHonArc 2.6.16.