. * *************************************************************/ // check that data has arrived here via HTTPS if ($_SERVER['HTTPS'] != "on") { die ("Use a secure HTTPS connection to the server. Aborting ..."); } if (! is_file("gpgconfig.php")){ die ("Config file does not exist."); } require_once('gpgconfig.php'); if (! isset($DATADIR)){ $DATADIR = "/none"; $FILESDIR = "/none"; } // use GET only when filename is given if (strtoupper($_SERVER['REQUEST_METHOD']) != "POST") { //check if there is a query string, then abort except if files are to be handled. if (count($_GET) != 0){ if ($INPUT != 'file') { die ("Always use POST to prevent recording of query strings. Aborting ..."); } else { if (isset($_REQUEST['file'])) { // touch legitimate files only ! if (isset($USERID)) { $FILESDIR = $DATADIR ."/". $USERID; } else { $FILESDIR = $GPGDIR."/data"; } $RELATIVEFILE = checkinput($_REQUEST['file'],"noscript"); $FILE = $FILESDIR ."/". $RELATIVEFILE; $FILE = str_replace('//','/',$FILE); } else { $FILE = "/none"; } } } } else { if (isset($_REQUEST['file'])) { // touch legitimate files only ! if (isset($USERID)) { $FILESDIR = $DATADIR ."/". $USERID; } else { $FILESDIR = $GPGDIR."/data"; } $RELATIVEFILE = checkinput($_REQUEST['file'],"noscript"); $FILE = $FILESDIR ."/". $RELATIVEFILE; $FILE = str_replace('//','/',$FILE); } } if (! isset($RELATIVEFILE)){ $RELATIVEFILE = "/none"; } $FILE = str_replace('../','xxx',$FILE); if (! is_dir($GPGDIR)){ die ("GPG directory $GPGDIR does not exist."); } else { $ERRORFILE = $GPGDIR."/gpgerrors"; } if (! isset($DECRYPTBIGFILES)){ $DECRYPTBIGFILES = "no"; } if (! isset($PLAINRETURN)){ $PLAINRETURN = "no"; } $TEXT = ""; if (isset($_REQUEST[$DECRYPTIONTEXTAREA])) { $TEXT = $_REQUEST[$DECRYPTIONTEXTAREA]; $TEXT = addslashes($TEXT); } if (isset($_REQUEST['secret'])) { $SECRET = checkinput($_REQUEST['secret'],"noscript"); } if (! isset($KEYSELECTION)){ $KEYSELECTION = "no"; } if (! isset($DECRYPTIONIFRAMENUMBER)){ $DECRYPTIONIFRAMENUMBER = 0; } if (! isset($REPLACEFILE)){ $REPLACEFILE = "no"; } if (isset($_REQUEST['decryptionkey'])){ $DECRYPTIONKEY = checkinput($_REQUEST['decryptionkey'],"noscript"); } echo "
\n"; echo "decrypting ".$SIZE." bytes ...
\n"; $ENC ="/usr/bin/gpg --homedir ".$GPGDIR." --require-secmem --batch --no-tty --yes --logger-file ".$ERRORFILE." --passphrase ".$SECRET." --output ".$FILENAME." --decrypt ".$CRYPTOGRAM ; unix($ENC); unix("rm ".$CRYPTOGRAM); } else { $ENC ="/usr/bin/gpg --homedir ".$GPGDIR." --require-secmem --batch --no-tty --yes --logger-file ".$ERRORFILE." --passphrase ".$SECRET." --output - --decrypt > ".$FILENAME ; unixpipe($ENC,$TEXT); } unix("chmod 600 ".$FILENAME); $handle = fopen($FILENAME, "r"); $RESULT = fread($handle,20000000); fclose($handle); // $RESULT may contain code $RESULT = checkinput($RESULT, "noscript"); if ($INPUT != 'file') { // destroy content of the plain text file unix("dd if=/dev/zero of=".$FILENAME." bs=1 count=".strlen($RESULT)); unix("sync"); unix("rm ".$FILENAME); } } else { $ENC ="echo \"".$TEXT."\" | /usr/bin/gpg --homedir ".$GPGDIR." --require-secmem --batch --no-tty --yes --logger-file ".$ERRORFILE." --passphrase ".$SECRET." --output - --decrypt" ; $RESULT = unix($ENC); } $ERRORS = unix("cat ".$ERRORFILE); echo "\n"; // check if decryption is successful $ERR1 = strpos($RESULT,'No such file or directory'); $ERR2 = strpos($RESULT,'no valid OpenPGP data found'); if (($ERR1 === false) && ($ERR2 === false) && (strlen($RESULT) > 0 )){ echo "
\n"; echo " \n\n"; } else { if ($REPLACEFILE == "yes") { unix("cp ".$FILENAME." \"".$FILE."\""); } else { // strip .asc from filename if (substr($FILE,-4) == '.asc') { $FNAME = substr($FILE,0,-4); } else { $FNAME = $FILE; } unix("cp ".$FILENAME." \"".$FNAME."\""); } // destroy content of the plain text file unix("dd if=/dev/zero of=".$FILENAME." bs=1 count=".strlen($RESULT)); unix("sync"); unix("rm ".$FILENAME); echo "\n"; } echo "
"; } else { echo "
".$SEC." ".$SUB." | ";
echo "".$UID." | \n"; echo "
"; } echo "\n