patches applied from our bz and from sourceforge tickets

phpki-0.82.bz10622.fixphpwarnings.patch         phpki-0.82-empty_pass_php_5.2.patch      phpki-0.82-remove_email_from_upload_file_name.patch
phpki-0.82-ca_admin_users.patch                 phpki-0.82-expirey.patch                 phpki-0.82-remove_security_warning.patch
phpki-0.82-ca_help.patch                        phpki-0.82-fix-dates-2.patch             phpki-0.82-sme_admin_user.patch
phpki-0.82-disable_download_after_create.patch  phpki-0.82-fix-dates-3.patch             phpki-0.82-sme_openvpn_bridge_compat.patch
phpki-0.82-display_root_pem.patch               phpki-0.82-fix-dates.patch               phpki-0.82-update_crl_via_cron.patch
phpki-0.82-dl_crl_in_pem.patch                  phpki-0.82-fix-preg_match.patch          phpki-0.82-use_sha1.patch
phpki-0.82-dl_display_ta_dh.patch               phpki-0.82-openvpn_static_key.patch
phpki-0.82-email_signing.patch                  phpki-0.82-potential_xss_php_self.patch

root/include/my_functions.php

@@ -1,6 +1,6 @@
 <?php
 
-$PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
+$PHP_SELF = htmlspecialchars($HTTP_SERVER_VARS['PHP_SELF'], ENT_QUOTES, "utf-8");
 
 #
 # Returns TRUE if browser is Internet Explorer.
@@ -74,12 +74,24 @@ function gpvar($v) {
 # Sort a two multidimensional array by one of it's columns
 #
 function csort($array, $column, $ascdec=SORT_ASC){    
-	if (sizeof($array) == 0) return $array;
 
-	foreach($array as $x) $sortarr[]=$x[$column];
-	array_multisort($sortarr, $ascdec, $array);  
+    if (sizeof($array) == 0) return $array;
 
-	return $array;
+    // Sort by digital date rather than text date
+    if ($column == 'issued') $column = "issuedSort";
+    if ($column == 'expires') $column = 'expiresSort';
+
+    if ($column == 'status') {
+	foreach($array as $x) {
+	    $sortarr[]=$x[$column];
+	    $sortdate[] = $x['expiresSort'];
+	}
+        array_multisort($sortarr, $ascdec, $sortdate, SORT_ASC, $array);
+    } else {
+        foreach($array as $x) $sortarr[]=$x[$column];
+        array_multisort($sortarr, $ascdec, $array);
+    }
+    return $array;
 }
 
 
@@ -160,42 +172,53 @@ function undo_magic_quotes(&$a) {
 # Returns TRUE if argument contains only alphabetic characters.
 #
 function is_alpha($v) {
-	return (eregi('[^A-Z]',$v) ? false : true) ;
+	#return (eregi('[^A-Z]',$v) ? false : true) ;
+	#return (preg_match('/[^A-Z]'.'/i',$v,PCRE_CASELESS) ? false : true) ; # Replaced eregi() with preg_match()
+	return (preg_match('/[^A-Z]/i',$v) ? false : true) ;
 }
 
 #
 # Returns TRUE if argument contains only numeric characters.
 #
+
 function is_num($v) {
-	return (eregi('[^0-9]',$v) ? false : true) ;
+	#return (eregi('[^0-9]',$v) ? false : true) ;
+	return (preg_match('/[^0-9]/',$v) ? false : true) ; # Replaced eregi() with preg_match()
 }
 
 #
 # Returns TRUE if argument contains only alphanumeric characters.
 #
+
 function is_alnum($v) {
-	return (eregi('[^A-Z0-9]',$v) ? false : true) ;
+	#return (eregi('[^A-Z0-9]',$v) ? false : true) ;
+	return (preg_match('/[^A-Z0-9]/i',$v) ? false : true) ; # Replaced eregi() with preg_match()
 }
 
 #
 # Returns TRUE if argument is in proper e-mail address format.
 #
 function is_email($v) {
-	return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,3}$',$v) ? true : false);
+	#return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$',$v) ? true : false);
+	return (preg_match('/^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$'.'/i',$v) ? true : false); # Replaced eregi() with preg_match()
 }
 
 #
 # Checks regexp in every element of an array, returns TRUE as soon
 # as a match is found.
 #
-function eregi_array($regexp, $a) {
 
-foreach($a as $e) {
-	if (eregi($regexp,$e)) return true;
-}
-return false;
-}
+function eregi_array($regexp, $arr) {
 
+	foreach ($arr as $elem) {
+		#if (eregi($regexp,$elem))
+		if (! preg_match('/^\/.*\/$/', $regexp)) # if it doesn't begin and end with '/'
+			$regexp = '/'.$regexp.'/'; # pad the $regexp with '/' to prepare for preg_match()
+		if (preg_match($regexp.'i',$elem)) # Replaced eregi() with preg_match()
+			return true;
+	}
+	return false;
+}
 #
 # Reads entire file into a string
 # Same as file_get_contents in php >= 4.3.0