Skip to content

Commit

Permalink
Merge pull request from GHSA-7cmj-g5qc-pj88
Browse files Browse the repository at this point in the history 
* QA: Fixing Package Import CVE

For now, we will only accept the Cacti public keys until such time as we are a registered CNA and have the ability to verify third parties or we make other arrangements.

* QA: The keys in our package have trailing spaces
  • Loading branch information
@TheWitness
TheWitness committed Apr 7, 2024
1 parent 9e87882 commit 624673f
Showing 1 changed file with 30 additions and 6 deletions.
36 changes: 30 additions & 6 deletions lib/import.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -300,13 +300,32 @@ function import_xml_data(&$xml_data, $import_as_new, $profile_id, $remove_orphan
return $info_array;
}

function is_cacti_public_key($public_key) {
$public_key = trim($public_key);
$keys[] = get_public_key_sha1();
$keys[] = get_public_key_sha256();

foreach($keys as $key) {
if ($public_key === $key) {
return true;
}
}

return false;
}

function get_public_key_sha1() {
return get_public_key();
}

function get_public_key_sha256() {
$public_key = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApH0rQ6cEYMCeHh5b7zCw\n5Mxzrj5N6PNW4NJE6YvjpzR40SE/B+vGnwpQZB+bmAVPJcn7TgUf5+ZnPoLL7BNn\nfFhDOREzQYhcTGTxTFQ/AD/DdgzyALdWsV14mwkaxKchnY3XZY1Jg/tm+AFOBrEX\n3Oa4pkOf7+V2HXVhbMhWrsoW5/tI8AQBQtzadqxXDGMpwlwKb6QNlUPk1slQFn3e\nk9rpWgq/84OxsJs2MVFyo/Nh6ehu8cE7OYHOJ/1qQ+8w99ro+zllwLqStY3/Z3Bl\nQmGcllo3/LfnWc10aqdtpFOxWcJwzkQ1vvjzAuWYPmW/fNbft3+pRuS7sa2jj/oN\nvQIDAQAB\n-----END PUBLIC KEY-----";

return $public_key;
}

function get_public_key() {
$public_key = <<<EOD
-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMbPpuQfwmg93oOGjdLKrAqwEPwvvNjC
bk2YZiDglh8lQJxNQI9glG1Z/ptvqprFO3iSx9rTP4vzZ0Ek2+EMYTMCAwEAAQ==
-----END PUBLIC KEY-----
EOD;
$public_key = "-----BEGIN PUBLIC KEY-----\nMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMbPpuQfwmg93oOGjdLKrAqwEPwvvNjC\nbk2YZiDglh8lQJxNQI9glG1Z/ptvqprFO3iSx9rTP4vzZ0Ek2+EMYTMCAwEAAQ==\n-----END PUBLIC KEY-----";

return $public_key;
}
Expand Down Expand Up @@ -376,6 +395,11 @@ function import_package_get_details($xmlfile) {
function import_read_package_data($xmlfile, &$public_key) {
$public_key = import_package_get_public_key($xmlfile);

if (!is_cacti_public_key($public_key)) {
cacti_log('FATAL: Package Public Key is not Official Cacti Public Key for Package ' . $filename, true, 'IMPORT', POLLER_VERBOSITY_LOW);
return false;
}

$filename = "compress.zlib://$xmlfile";

$f = fopen($filename, 'r');
Expand Down

0 comments on commit 624673f

Please sign in to comment.