From 588c72bf85c77323fd744438388d34ea36d4d85e Mon Sep 17 00:00:00 2001 From: TheWitness Date: Sun, 7 Apr 2024 11:14:28 -0400 Subject: [PATCH] Merge pull request from GHSA-7cmj-g5qc-pj88 * QA: Fixing Package Import CVE For now, we will only accept the Cacti public keys until such time as we are a registered CNA and have the ability to verify third parties or we make other arrangements. * QA: The keys in our package have trailing spaces --- lib/import.php | 36 ++++++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/lib/import.php b/lib/import.php index 044fd317ce..391c10dc89 100644 --- a/lib/import.php +++ b/lib/import.php @@ -303,13 +303,32 @@ function import_xml_data(&$xml_data, $import_as_new, $profile_id, $remove_orphan return $info_array; } +function is_cacti_public_key($public_key) { + $public_key = trim($public_key); + $keys[] = get_public_key_sha1(); + $keys[] = get_public_key_sha256(); + + foreach($keys as $key) { + if ($public_key === $key) { + return true; + } + } + + return false; +} + +function get_public_key_sha1() { + return get_public_key(); +} + +function get_public_key_sha256() { + $public_key = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApH0rQ6cEYMCeHh5b7zCw\n5Mxzrj5N6PNW4NJE6YvjpzR40SE/B+vGnwpQZB+bmAVPJcn7TgUf5+ZnPoLL7BNn\nfFhDOREzQYhcTGTxTFQ/AD/DdgzyALdWsV14mwkaxKchnY3XZY1Jg/tm+AFOBrEX\n3Oa4pkOf7+V2HXVhbMhWrsoW5/tI8AQBQtzadqxXDGMpwlwKb6QNlUPk1slQFn3e\nk9rpWgq/84OxsJs2MVFyo/Nh6ehu8cE7OYHOJ/1qQ+8w99ro+zllwLqStY3/Z3Bl\nQmGcllo3/LfnWc10aqdtpFOxWcJwzkQ1vvjzAuWYPmW/fNbft3+pRuS7sa2jj/oN\nvQIDAQAB\n-----END PUBLIC KEY-----"; + + return $public_key; +} + function get_public_key() { - $public_key = <<