diff options
author | Erich Eckner <git@eckner.net> | 2018-09-28 15:41:14 +0200 |
---|---|---|
committer | Erich Eckner <git@eckner.net> | 2018-09-28 15:41:14 +0200 |
commit | fa6597e1cb308d9b76bff6e208c25e92055e89b0 (patch) | |
tree | d7431951e001ffbb259604a28fa07e60431f8800 | |
parent | 08f12d9ad35ad778c4b0e182e95f509d95ae70b2 (diff) | |
download | archive-server-fa6597e1cb308d9b76bff6e208c25e92055e89b0.tar.xz |
httpdocs/index.php: check signatures if asked to
-rw-r--r-- | httpdocs/index.php | 47 |
1 files changed, 42 insertions, 5 deletions
diff --git a/httpdocs/index.php b/httpdocs/index.php index 3295c38..88b4b09 100644 --- a/httpdocs/index.php +++ b/httpdocs/index.php @@ -1,17 +1,19 @@ <?php +$work_dir = dirname(dirname(__FILE__)) . '/work/'; + if (isset($_GET['r'])) { if (base64_decode($_GET['r'],true)===false) die('Invalid base64'); - if (!is_dir('../work/repositories/' . $_GET['r'])) { - $wish_list = fopen('../work/wish-list','a'); + if (!is_dir($work_dir . 'repositories/' . $_GET['r'])) { + $wish_list = fopen($work_dir . 'wish-list','a'); if ($wish_list === false) die('Cannot open wish-list'); fwrite($wish_list, $_GET['r'] . "\n"); fclose($wish_list); - die('I put repository on wish-list'); + die('I put repository onto wish-list'); } if (isset($_GET['tag'])) { @@ -23,11 +25,46 @@ if (isset($_GET['r'])) { 'base64 -d' . ')'; } elseif (isset($_GET['commit'])) { - if (preg_match('/^[a-f0-9]{40}$/', $_GET['commit'])) - $commit_identifier = $_GET['commit']; + if (!preg_match('/^[A-Fa-f0-9]{40}$/', $_GET['commit'])) + die('The given commit does not have exactly 40 hex digits'); + $commit_identifier = $_GET['commit']; + } + + function expand_key($key) { + if (preg_match('/^[A-Fa-f0-9]{16}$/', $key)) + return '.\{24\}' . $key; + elseif (preg_match('/^[A-Fa-f0-9]{40}$/', $key)) + return $key; + else + die('The given key does not have exactly 16 or 40 hex digits'); } if (isset($commit_identifier)) { + if (isset($_GET['valid_keys'])) { + + $key_regex = '\(' . implode( + '\|', + array_map( + 'expand_key', + explode( + ',', + $_GET['valid_keys'] + ) + ) + ) . '\)'; + + shell_exec( + 'GNUPGHOME="' . $work_dir . 'gnupg" gpg ' . + '--keyserver=hkp://keys.gnupg.net ' . + '--recv-keys ' . implode(' ',explode(',',$_GET['valid_keys'])) + ); + + if (trim(shell_exec( + 'GNUPGHOME="' . $work_dir . 'gnupg" git -C "' . $work_dir . 'repositories/' . $_GET['r'] . '" verify-tag --raw "' . $commit_identifier . '" 2>&1 | ' . + 'grep -c "\[GNUPG:\] VALIDSIG ' . $key_regex . ' "' + )) == '0') + die('Commit ' . $commit_identifier . ' is not signed by ' . $_GET['valid_keys']); + } $handle = popen( 'git -C "../work/repositories/' . $_GET['r'] . '" archive "' . $commit_identifier . '" | ' . 'gzip -nc', |