From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZBCK057vBz376w for ; Mon, 10 Mar 2025 10:08:36 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZBCJx06vQz36W6 for ; Mon, 10 Mar 2025 10:08:33 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZBCJw2w8Gz2Pj; Mon, 10 Mar 2025 10:08:32 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1741601312; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mM1sbbwCAw6ivn4jbEdfd37BHMGVi+dGpfGo9dmxtf0=; b=f6XxNVole7c1jxVE6ltnVx87Ii4T3+z7Wnbi4wssVbu4qUeOkZVx+wuqjH3EMCXUXdJvIS E7v1JpwuumwyFACA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1741601312; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mM1sbbwCAw6ivn4jbEdfd37BHMGVi+dGpfGo9dmxtf0=; b=bPFcRUz3Ty9GJ7H4eFGWfFvnQMyfjPAfjOYHPDljRA393M5Jm3teecfm6H7oW7rhxWOoR3 fIf3VgZk6rBkzQsEelmNebkT8J6sjblvI6BWCIHqEcYJZyXJW+4vZ2eSXu3DIgzl1p9PVB uTxwdJD8N0QajMKneY7+Sy3BItEyQWXRdIR4G6PmAK/qw3E0YNPdNnf76iC5ZgiNoBceYZ dZUpIANsOWM4cVTra+4I2iRmebQbF6JObfLWzOz1to0F6snGEnNRcIrQUBJtJSZ/k1MUP0 S/O164f+/z/BtoobUeGIdTLHPzIfG0N+vgJvBOKswTJRknlMX+TW457djsN2cQ== Content-Type: text/plain; charset=us-ascii Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: Mime-Version: 1.0 Subject: Re: [PATCH v3 1/2] vpnmain.cgi: Fix for 2nd part of bug10595 From: Michael Tremer In-Reply-To: <20250306113221.6990-1-adolf.belka@ipfire.org> Date: Mon, 10 Mar 2025 10:08:32 +0000 Cc: development@lists.ipfire.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <20250306113221.6990-1-adolf.belka@ipfire.org> To: Adolf Belka Thank you. Merged. > On 6 Mar 2025, at 11:32, Adolf Belka wrote: >=20 > - Bug10595 had two parts in it and was closed after the first part was = fixed. The second > part was still unfixed at that time. I cam across it when checking = out an open bug on > a similar issue with OpenVPN. > - I found the section that checks on the CA Name and modified it to = also allow spaces. > - Having modified that then the subroutines getsubjectfromcert and = getCNfromcert required > modifications otherwise the openssl statement only got a filename = with the first > portion of the ca name until the first space was encountered. This = v2 version of this > patch set has the safe approach suggested by @Michael. This v3 = version has been > re based to another patch submission that modified lines in a = similar place and > prevented a merge to work. > - I am open to any suggestions for improvements to how I implemented = the use of the > &General::system_output function > - Tested this change out on my vm and it worked fine. I was able to = upload a ca > certificate into IPSec and use spaces in the CA Name. > - Changed the test for the CA_NAME to allow spaces. Change also made = to en.pl file >=20 > Fixes: Bug10595 part 2 > Tested-by: Adolf Belka > Signed-off-by: Adolf Belka > --- > html/cgi-bin/vpnmain.cgi | 34 ++++++++++++++++++++-------------- > 1 file changed, 20 insertions(+), 14 deletions(-) >=20 > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > index c9bbbb494..0c69efb17 100755 > --- a/html/cgi-bin/vpnmain.cgi > +++ b/html/cgi-bin/vpnmain.cgi > @@ -245,13 +245,16 @@ sub callssl ($) { > ### > sub getCNfromcert ($) { > #&General::log("charon", "Extracting name from $_[0]..."); > - my $temp =3D `/usr/bin/openssl x509 -text -in $_[0]`; > - $temp =3D~ /Subject:.*CN\s*=3D\s*(.*)[\n]/; > - $temp =3D $1; > - $temp =3D~ s+/Email+, E+; > - $temp =3D~ s/ ST =3D / S =3D /; > - $temp =3D~ s/,//g; > - $temp =3D~ s/\'//g; > + my @output =3D &General::system_output("/usr/bin/openssl", "x509", = "-text", "-in", "$_[0]"); > + my $temp; > + foreach my $line (@output) { > + $line =3D~ /Subject:.*CN\s*=3D\s*(.*)[\n]/; > + $temp =3D $1; > + $temp =3D~ s+/Email+, E+; > + $temp =3D~ s/ ST =3D / S =3D /; > + $temp =3D~ s/,//g; > + $temp =3D~ s/\'//g; > + } > return $temp; > } > ### > @@ -259,11 +262,14 @@ sub getCNfromcert ($) { > ### > sub getsubjectfromcert ($) { > #&General::log("charon", "Extracting subject from $_[0]..."); > - my $temp =3D `/usr/bin/openssl x509 -text -in $_[0]`; > - $temp =3D~ /Subject: (.*)[\n]/; > - $temp =3D $1; > - $temp =3D~ s+/Email+, E+; > - $temp =3D~ s/ ST =3D / S =3D /; > + my @output =3D &General::system_output("/usr/bin/openssl", "x509", = "-text", "-in", "$_[0]"); > + my $temp; > + foreach my $line (@output) { > + $line =3D~ /Subject: (.*)[\n]/; > + $temp =3D $1; > + $temp =3D~ s+/Email+, E+; > + $temp =3D~ s/ ST =3D / S =3D /; > + } > return $temp; > } > ### > @@ -644,8 +650,8 @@ END > } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'upload ca certificate'}) { > &General::readhasharray("${General::swroot}/vpn/caconfig", \%cahash); >=20 > - if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9]+$/) { > - $errormessage =3D $Lang::tr{'name must only contain characters'}; > + if ($cgiparams{'CA_NAME'} !~ /^[a-zA-Z0-9 ]*$/) { > + $errormessage =3D $Lang::tr{'ca name must only contain characters = and spaces'}; > goto UPLOADCA_ERROR; > } >=20 > --=20 > 2.48.1 >=20 >=20