From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH v2 1/2] vpnmain.cgi: Fix for 2nd part of bug10595 Date: Mon, 03 Mar 2025 15:09:07 +0100 Message-ID: <20250303140908.12961-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2398264231944802883==" List-Id: --===============2398264231944802883== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - Bug10595 had two parts in it and was closed after the first part was fixed.= The second part was still unfixed at that time. I cam across it when checking out an = open bug on a similar issue with OpenVPN. - I found the section that checks on the CA Name and modified it to also allo= w spaces. - Having modified that then the subroutines getsubjectfromcert and getCNfromc= ert required modifications otherwise the openssl statement only got a filename with the= first portion of the ca name until the first space was encountered. This v2 vers= ion of this patch set has the safe approach suggested by @Michael. - I am open to any suggestions for improvements to how I implemented the use = of the &General::system_output function - Tested this change out on my vm and it worked fine. I was able to upload a = ca certificate into IPSec and use spaces in the CA Name. - Changed the test for the CA_NAME to allow spaces. Change also made to en.pl= file Fixes: Bug10595 part 2 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) mode change 100755 =3D> 100644 html/cgi-bin/vpnmain.cgi diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi old mode 100755 new mode 100644 index a1d0f0e2a..c11fb0dc8 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -245,13 +245,16 @@ sub callssl ($) { ### sub getCNfromcert ($) { #&General::log("ipsec", "Extracting name from $_[0]..."); - my $temp =3D `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =3D~ /Subject:.*CN\s*=3D\s*(.*)[\n]/; - $temp =3D $1; - $temp =3D~ s+/Email+, E+; - $temp =3D~ s/ ST =3D / S =3D /; - $temp =3D~ s/,//g; - $temp =3D~ s/\'//g; + my @output =3D &General::system_output("/usr/bin/openssl", "x509", "-text",= "-in", "$_[0]"); + my $temp; + foreach my $line (@output) { + $line =3D~ /Subject:.*CN\s*=3D\s*(.*)[\n]/; + $temp =3D $1; + $temp =3D~ s+/Email+, E+; + $temp =3D~ s/ ST =3D / S =3D /; + $temp =3D~ s/,//g; + $temp =3D~ s/\'//g; + } return $temp; } ### @@ -259,11 +262,14 @@ sub getCNfromcert ($) { ### sub getsubjectfromcert ($) { #&General::log("ipsec", "Extracting subject from $_[0]..."); - my $temp =3D `/usr/bin/openssl x509 -text -in $_[0]`; - $temp =3D~ /Subject: (.*)[\n]/; - $temp =3D $1; - $temp =3D~ s+/Email+, E+; - $temp =3D~ s/ ST =3D / S =3D /; + my @output =3D &General::system_output("/usr/bin/openssl", "x509", "-text",= "-in", "$_[0]"); + my $temp; + foreach my $line (@output) { + $line =3D~ /Subject: (.*)[\n]/; + $temp =3D $1; + $temp =3D~ s+/Email+, E+; + $temp =3D~ s/ ST =3D / S =3D /; + } return $temp; } ### @@ -644,8 +650,8 @@ END } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); =20 - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { - $errormessage =3D $Lang::tr{'name must only contain characters'}; + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9 ]*$/) { + $errormessage =3D $Lang::tr{'ca name must only contain characters and spac= es'}; goto UPLOADCA_ERROR; } =20 --=20 2.48.1 --===============2398264231944802883==--