diff options
author | Valérian Saliou <valerian@valeriansaliou.name> | 2014-05-03 20:33:41 +0400 |
---|---|---|
committer | Valérian Saliou <valerian@valeriansaliou.name> | 2014-05-03 20:33:41 +0400 |
commit | 6735e02869de35b003458e5516f2459f886ddec7 (patch) | |
tree | 4c085bb0f90535ffb1f851bc796c644b0432ab26 /server | |
parent | 9a6ba5c128c47e33a94cd5c3297dce85ec709df9 (diff) |
Safer way to verify identity of Jappix.org when updating (prevents server hacks)
Diffstat (limited to 'server')
-rw-r--r-- | server/functions-manager.php | 7 | ||||
-rw-r--r-- | server/functions.php | 40 | ||||
-rw-r--r-- | server/geolocation.php | 2 | ||||
-rw-r--r-- | server/jingle.php | 2 | ||||
-rw-r--r-- | server/music-search.php | 2 |
5 files changed, 46 insertions, 7 deletions
diff --git a/server/functions-manager.php b/server/functions-manager.php index ff1524e6..05888d82 100644 --- a/server/functions-manager.php +++ b/server/functions-manager.php @@ -208,7 +208,7 @@ function newUpdates($force) { // No cache, obsolete one or refresh forced if(!file_exists($cache_path) || (file_exists($cache_path) && (time() - (filemtime($cache_path)) >= 86400)) || $force) { // Get the content - $last_version = read_url('https://jappix.org/xml/version.xml'); + $last_version = readUrl('https://jappix.org/xml/version.xml'); // Write the content file_put_contents($cache_path, $last_version, LOCK_EX); @@ -281,9 +281,12 @@ function processUpdate($url) { if(!file_exists($path)) { echo('<p>» '.T_("Downloading package...").'</p>'); + // Create SSL request context + $ssl_context = requestContext($url); + // Open the packages $local = fopen($path, 'w'); - $remote = fopen($url, 'r'); + $remote = fopen($url, 'r', false, $ssl_context); // Could not open a socket?! if(!$remote) { diff --git a/server/functions.php b/server/functions.php index 2af7b4b7..fa616eb5 100644 --- a/server/functions.php +++ b/server/functions.php @@ -141,8 +141,39 @@ function readXML($type, $xmlns) { return false; } +// Creates a secure download context (StartSSL provider, used on Jappix.org which is the update source) +function requestContext($remote_url, $type = 'default', $opt = null) { + $options = array(); + $url_parse = parse_url($remote_url); + + $ca_path = JAPPIX_BASE.'/misc/certs/'; + + // Official update host? + if($url_parse['scheme'] === 'https' && $url_parse['host'] === 'jappix.org') { + if($type === 'curl') { + curl_setopt($opt, CURLOPT_SSL_VERIFYPEER, TRUE); + curl_setopt($opt, CURLOPT_CAPATH, $ca_path); + } else { + $options['ssl'] = array( + 'verify_peer' => true, + 'capath' => $ca_path, + 'verify_depth' => 10, + 'CN_match' => $url_parse['host'] + ); + } + } + + if($type === 'curl') { + return true; + } else { + $ssl_context = stream_context_create($options); + + return $ssl_context; + } +} + // The function to read remote URLs -function read_url($url) { +function readUrl($url) { // Any cURL? if(function_exists('curl_init')) { $ch = curl_init(); @@ -151,11 +182,16 @@ function read_url($url) { curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); + // Set dynamic request context + requestContext($url, 'curl', $ch); + $data = curl_exec($ch); curl_close($ch); } else { + $context = requestContext($url); + // Fallback on default method - $data = @file_get_contents($url); + $data = @file_get_contents($url, false, $context); } return $data; diff --git a/server/geolocation.php b/server/geolocation.php index 33a9ddf2..4156a846 100644 --- a/server/geolocation.php +++ b/server/geolocation.php @@ -36,7 +36,7 @@ if((isset($_GET['latitude']) && !empty($_GET['latitude'])) && (isset($_GET['long header('Content-Type: text/xml; charset=utf-8'); // Get the XML content - $xml = read_url('http://maps.googleapis.com/maps/api/geocode/xml?latlng='.urlencode($_GET['latitude']).','.urlencode($_GET['longitude']).'&language='.urlencode($_GET['language']).'&sensor=true'); + $xml = readUrl('http://maps.googleapis.com/maps/api/geocode/xml?latlng='.urlencode($_GET['latitude']).','.urlencode($_GET['longitude']).'&language='.urlencode($_GET['language']).'&sensor=true'); exit($xml); } diff --git a/server/jingle.php b/server/jingle.php index 1aca6976..c9fe5d34 100644 --- a/server/jingle.php +++ b/server/jingle.php @@ -52,7 +52,7 @@ if(isset($_GET['username']) && !empty($_GET['username'])) { // if you are concerned about privacy, rather setup your TURN and add it to Jappix hosts configuration // Get the JSON content - $json = read_url('https://computeengineondemand.appspot.com/turn?username='.urlencode($_GET['username'])); + $json = readUrl('https://computeengineondemand.appspot.com/turn?username='.urlencode($_GET['username'])); if($json && strpos($json, 'uris') !== false) { file_put_contents($cache_path, $json); diff --git a/server/music-search.php b/server/music-search.php index dece3389..2b2a4c1e 100644 --- a/server/music-search.php +++ b/server/music-search.php @@ -41,7 +41,7 @@ if((isset($_GET['searchquery']) && !empty($_GET['searchquery'])) && (isset($_GET // Jamendo search? if($location == 'jamendo') { - exit(read_url('http://api.jamendo.com/get2/name+id+duration+url/track/xml/?searchquery='.urlencode($searchquery).'&order=searchweight_desc')); + exit(readUrl('http://api.jamendo.com/get2/name+id+duration+url/track/xml/?searchquery='.urlencode($searchquery).'&order=searchweight_desc')); } // Local music search |