From fa6597e1cb308d9b76bff6e208c25e92055e89b0 Mon Sep 17 00:00:00 2001
From: Erich Eckner <git@eckner.net>
Date: Fri, 28 Sep 2018 15:41:14 +0200
Subject: httpdocs/index.php: check signatures if asked to

---
 httpdocs/index.php | 47 ++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 42 insertions(+), 5 deletions(-)

(limited to 'httpdocs')

diff --git a/httpdocs/index.php b/httpdocs/index.php
index 3295c38..88b4b09 100644
--- a/httpdocs/index.php
+++ b/httpdocs/index.php
@@ -1,17 +1,19 @@
 <?php
 
+$work_dir = dirname(dirname(__FILE__)) . '/work/';
+
 if (isset($_GET['r'])) {
 
   if (base64_decode($_GET['r'],true)===false)
     die('Invalid base64');
 
-  if (!is_dir('../work/repositories/' . $_GET['r'])) {
-    $wish_list = fopen('../work/wish-list','a');
+  if (!is_dir($work_dir . 'repositories/' . $_GET['r'])) {
+    $wish_list = fopen($work_dir . 'wish-list','a');
     if ($wish_list === false)
       die('Cannot open wish-list');
     fwrite($wish_list, $_GET['r'] . "\n");
     fclose($wish_list);
-    die('I put repository on wish-list');
+    die('I put repository onto wish-list');
   }
 
   if (isset($_GET['tag'])) {
@@ -23,11 +25,46 @@ if (isset($_GET['r'])) {
           'base64 -d' .
       ')';
   } elseif (isset($_GET['commit'])) {
-    if (preg_match('/^[a-f0-9]{40}$/', $_GET['commit']))
-      $commit_identifier = $_GET['commit'];
+    if (!preg_match('/^[A-Fa-f0-9]{40}$/', $_GET['commit']))
+      die('The given commit does not have exactly 40 hex digits');
+    $commit_identifier = $_GET['commit'];
+  }
+
+  function expand_key($key) {
+    if (preg_match('/^[A-Fa-f0-9]{16}$/', $key))
+      return '.\{24\}' . $key;
+    elseif (preg_match('/^[A-Fa-f0-9]{40}$/', $key))
+      return $key;
+    else
+      die('The given key does not have exactly 16 or 40 hex digits');
   }
 
   if (isset($commit_identifier)) {
+    if (isset($_GET['valid_keys'])) {
+
+      $key_regex = '\(' . implode(
+        '\|',
+        array_map(
+          'expand_key',
+          explode(
+            ',',
+            $_GET['valid_keys']
+          )
+        )
+      ) . '\)';
+
+      shell_exec(
+        'GNUPGHOME="' . $work_dir . 'gnupg" gpg ' .
+        '--keyserver=hkp://keys.gnupg.net ' .
+        '--recv-keys ' . implode(' ',explode(',',$_GET['valid_keys']))
+      );
+
+      if (trim(shell_exec(
+        'GNUPGHOME="' . $work_dir . 'gnupg" git -C "' . $work_dir . 'repositories/' . $_GET['r'] . '" verify-tag --raw "' . $commit_identifier . '" 2>&1 | ' .
+        'grep -c "\[GNUPG:\] VALIDSIG ' . $key_regex . ' "'
+      )) == '0')
+        die('Commit ' . $commit_identifier . ' is not signed by ' . $_GET['valid_keys']);
+    }
     $handle = popen(
       'git -C "../work/repositories/' . $_GET['r'] . '" archive "' . $commit_identifier . '" | ' .
       'gzip -nc',
-- 
cgit v1.2.3