Einheitlicher, ausführlicher Filter für SSH-Keys
Hanno Böck commited on 2025-04-28 14:57:11
Zeige 2 geänderte Dateien mit 16 Einfügungen und 15 Löschungen.
- inc/security.php cb550b0..03e195a
- modules/gitolite/include/git.php 4bd1ee9..808647f
| ... | ... |
@@ -260,7 +260,8 @@ function verify_shell($input) |
| 260 | 260 |
|
| 261 | 261 |
function filter_ssh_key($key) |
| 262 | 262 |
{
|
| 263 |
- $keyparts = explode(" ", trim($key));
|
|
| 263 |
+ $filtered = trim(str_replace(["\r", "\n"], ' ', $key)); |
|
| 264 |
+ $keyparts = explode(" ", $filtered);
|
|
| 264 | 265 |
|
| 265 | 266 |
if ((count($keyparts) > 3) || (count($keyparts) < 2)) {
|
| 266 | 267 |
system_failure("Ungültiger SSH-Key!");
|
| ... | ... |
@@ -283,10 +284,18 @@ function filter_ssh_key($key) |
| 283 | 284 |
} |
| 284 | 285 |
|
| 285 | 286 |
if (count($keyparts) === 2) {
|
| 286 |
- return $keyparts[0] . " " . $keyparts[1]; |
|
| 287 |
+ $fkey = $keyparts[0] . " " . $keyparts[1]; |
|
| 287 | 288 |
} else {
|
| 288 |
- return $keyparts[0] . " " . $keyparts[1] . " " . $keyparts[2]; |
|
| 289 |
+ $fkey = $keyparts[0] . " " . $keyparts[1] . " " . $keyparts[2]; |
|
| 289 | 290 |
} |
| 291 |
+ |
|
| 292 |
+ $sshcmd = proc_open("ssh-keygen -l -f -", [0 => ["pipe", "r"]], $pipes, null, null);
|
|
| 293 |
+ fwrite($pipes[0], $fkey); |
|
| 294 |
+ if (proc_close($sshcmd) !== 0) {
|
|
| 295 |
+ system_failure("Ungültiger SSH-Key laut ssh-keygen!");
|
|
| 296 |
+ } |
|
| 297 |
+ |
|
| 298 |
+ return $fkey; |
|
| 290 | 299 |
} |
| 291 | 300 |
|
| 292 | 301 |
|
| ... | ... |
@@ -14,6 +14,8 @@ Nevertheless, in case you use a significant part of this code, we ask (but not r |
| 14 | 14 |
|
| 15 | 15 |
require_role(ROLE_SYSTEMUSER); |
| 16 | 16 |
|
| 17 |
+require_once("inc/security.php");
|
|
| 18 |
+ |
|
| 17 | 19 |
$data_dir = realpath(dirname(__FILE__) . '/../../../../gitolite-data/'); |
| 18 | 20 |
$config_file = $data_dir . '/gitolite-admin/conf/webinterface.conf'; |
| 19 | 21 |
$config_dir = $data_dir . '/gitolite-admin/conf/webinterface'; |
| ... | ... |
@@ -288,22 +290,12 @@ function newkey($pubkey, $handle) |
| 288 | 290 |
system_failure("Der eingegebene Name enthält ungültige Zeichen. Bitte nur Buchstaben, Zahlen, Unterstrich und Bindestrich benutzen.");
|
| 289 | 291 |
} |
| 290 | 292 |
|
| 291 |
- $pubkey = trim(str_replace(["\r", "\n"], ' ', $pubkey)); |
|
| 293 |
+ DEBUG("checking public key $keyfile");
|
|
| 294 |
+ $pubkey = filter_ssh_key($pubkey); |
|
| 292 | 295 |
|
| 293 | 296 |
$keyfile = $key_dir . '/' . $handle . '.pub'; |
| 294 | 297 |
file_put_contents($keyfile, $pubkey); |
| 295 | 298 |
|
| 296 |
- DEBUG("checking public key $keyfile");
|
|
| 297 |
- $proc = popen("/usr/bin/ssh-keygen -l -f '{$keyfile}' 2>&1", 'r');
|
|
| 298 |
- $output = fread($proc, 512); |
|
| 299 |
- DEBUG($output); |
|
| 300 |
- pclose($proc); |
|
| 301 |
- if (preg_match('/.* is not a public key file.*/', $output)) {
|
|
| 302 |
- unlink($keyfile); |
|
| 303 |
- system_failure('Der angegebene SSH-Key scheint ungültig zu sein.');
|
|
| 304 |
- } |
|
| 305 |
- |
|
| 306 |
- |
|
| 307 | 299 |
git_wrapper('add ' . $keyfile);
|
| 308 | 300 |
|
| 309 | 301 |
$userconfig = $config_dir . '/' . $username . '.conf'; |
| 310 | 302 |