summaryrefslogtreecommitdiff
path: root/httpdocs/index.php
diff options
context:
space:
mode:
authorErich Eckner <git@eckner.net>2018-09-28 15:41:14 +0200
committerErich Eckner <git@eckner.net>2018-09-28 15:41:14 +0200
commitfa6597e1cb308d9b76bff6e208c25e92055e89b0 (patch)
treed7431951e001ffbb259604a28fa07e60431f8800 /httpdocs/index.php
parent08f12d9ad35ad778c4b0e182e95f509d95ae70b2 (diff)
downloadarchive-server-fa6597e1cb308d9b76bff6e208c25e92055e89b0.tar.xz
httpdocs/index.php: check signatures if asked to
Diffstat (limited to 'httpdocs/index.php')
-rw-r--r--httpdocs/index.php47
1 files changed, 42 insertions, 5 deletions
diff --git a/httpdocs/index.php b/httpdocs/index.php
index 3295c38..88b4b09 100644
--- a/httpdocs/index.php
+++ b/httpdocs/index.php
@@ -1,17 +1,19 @@
<?php
+$work_dir = dirname(dirname(__FILE__)) . '/work/';
+
if (isset($_GET['r'])) {
if (base64_decode($_GET['r'],true)===false)
die('Invalid base64');
- if (!is_dir('../work/repositories/' . $_GET['r'])) {
- $wish_list = fopen('../work/wish-list','a');
+ if (!is_dir($work_dir . 'repositories/' . $_GET['r'])) {
+ $wish_list = fopen($work_dir . 'wish-list','a');
if ($wish_list === false)
die('Cannot open wish-list');
fwrite($wish_list, $_GET['r'] . "\n");
fclose($wish_list);
- die('I put repository on wish-list');
+ die('I put repository onto wish-list');
}
if (isset($_GET['tag'])) {
@@ -23,11 +25,46 @@ if (isset($_GET['r'])) {
'base64 -d' .
')';
} elseif (isset($_GET['commit'])) {
- if (preg_match('/^[a-f0-9]{40}$/', $_GET['commit']))
- $commit_identifier = $_GET['commit'];
+ if (!preg_match('/^[A-Fa-f0-9]{40}$/', $_GET['commit']))
+ die('The given commit does not have exactly 40 hex digits');
+ $commit_identifier = $_GET['commit'];
+ }
+
+ function expand_key($key) {
+ if (preg_match('/^[A-Fa-f0-9]{16}$/', $key))
+ return '.\{24\}' . $key;
+ elseif (preg_match('/^[A-Fa-f0-9]{40}$/', $key))
+ return $key;
+ else
+ die('The given key does not have exactly 16 or 40 hex digits');
}
if (isset($commit_identifier)) {
+ if (isset($_GET['valid_keys'])) {
+
+ $key_regex = '\(' . implode(
+ '\|',
+ array_map(
+ 'expand_key',
+ explode(
+ ',',
+ $_GET['valid_keys']
+ )
+ )
+ ) . '\)';
+
+ shell_exec(
+ 'GNUPGHOME="' . $work_dir . 'gnupg" gpg ' .
+ '--keyserver=hkp://keys.gnupg.net ' .
+ '--recv-keys ' . implode(' ',explode(',',$_GET['valid_keys']))
+ );
+
+ if (trim(shell_exec(
+ 'GNUPGHOME="' . $work_dir . 'gnupg" git -C "' . $work_dir . 'repositories/' . $_GET['r'] . '" verify-tag --raw "' . $commit_identifier . '" 2>&1 | ' .
+ 'grep -c "\[GNUPG:\] VALIDSIG ' . $key_regex . ' "'
+ )) == '0')
+ die('Commit ' . $commit_identifier . ' is not signed by ' . $_GET['valid_keys']);
+ }
$handle = popen(
'git -C "../work/repositories/' . $_GET['r'] . '" archive "' . $commit_identifier . '" | ' .
'gzip -nc',