Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dash escaping is not handled correctly #341

Closed
mgorny opened this issue Aug 26, 2020 · 0 comments · Fixed by #342
Closed

Dash escaping is not handled correctly #341

mgorny opened this issue Aug 26, 2020 · 0 comments · Fixed by #342

Comments

@mgorny
Copy link
Contributor

mgorny commented Aug 26, 2020

Consider the following code sample:

import pgpy

kr = pgpy.PGPKeyring()
kr.load('''
-----BEGIN PGP PUBLIC KEY BLOCK-----

mI0EX0XxvgEEAJf7EXP6UtRq7CnhYMrSXTtjgeijCSjCmEkUoFgWkuZvyROQRKUr
feYk+zHXio0VFzj/YnLwKdCWhWtwGlzRBxxCKRtqPspuw3aoiF6vpIl7w7R7Zww+
CpsX9nFk1i+nL5eK+gUgHUev4m6jBGFm+q+9PeKcSfG3Uc+yIUPV7OwBABEBAAG0
H3Rlc3R1c2VyIDx0ZXN0dXNlckBleGFtcGxlLmNvbT6IzgQTAQgAOBYhBEqTDnCU
AX9UQ2Q4yEJJ6DUyx1leBQJfRfG+AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheA
AAoJEEJJ6DUyx1leulED/jIcnt0sbjZCs7KO/LB50q+y/tHPmjh5k9Zr0+vwiCA3
7cdAgRp/9WuSil3aB7KzZte3dpnL9OxVAYMttJJWOzcES8kjNz8p3whOF76+AdUr
YYTRJod2fNGPnCndTnn4FKew6ufOzqXClC1wY4Lk1SjmSuPvA9+4rIOH0iiPMrmX
=FnKG
-----END PGP PUBLIC KEY BLOCK-----
''')

m = pgpy.PGPMessage.from_blob('''
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- foobar
-----BEGIN PGP SIGNATURE-----

iLMEAQEIAB0WIQRKkw5wlAF/VENkOMhCSeg1MsdZXgUCX0Xx3QAKCRBCSeg1MsdZ
XqHwA/0QLDsTK6AfRqIv1UPyiZCtwh+vxyu9GZ7TM6WGx4C8jKXh5gn5GPsqS81I
u3r/NaD80c/lPVp52aKyIxOUBLTcwIy7PvithRIaDnwJs+cCsCZghMj052XMLeva
pa06BMB2jlCs9Q83+k0AK47s7lYsLhk/tOV6iiVy6fatlUk1Hg==
=n+Bd
-----END PGP SIGNATURE-----
''')

with kr.key('4A930E7094017F54436438C84249E83532C7595E') as k:
    print(k.verify(m))

This should yield successful verification, vice gpg:

$ LC_TIME=C gpg --verify test.txt.asc 
gpg: Signature made Wed Aug 26 07:23:41 2020 CEST
gpg:                using RSA key 4A930E7094017F54436438C84249E83532C7595E
gpg: Good signature from "testuser <testuser@example.com>" [ultimate]

Per the spec, --escaping can be used to escape any line, not just lines with dashes.
mgorny added a commit to mgorny/PGPy that referenced this issue Aug 26, 2020
@mgorny
Fix dash escaping to be applied unconditionally
da97c97 
According to RFC 4880, 'an implementation MAY dash-escape any line,
SHOULD dash-escape lines commencing "From" followed by a space [...]'.
Therefore it is necessary to unescape all lines starting with dash-space
sequences, and not just these that have a dash following this sequence.

Fixes SecurityInnovation#341
@mgorny mgorny mentioned this issue Aug 26, 2020
Merged
mgorny added a commit to mgorny/PGPy that referenced this issue Aug 30, 2020
@mgorny
Fix dash escaping to be applied unconditionally
793b48e 
According to RFC 4880, 'an implementation MAY dash-escape any line,
SHOULD dash-escape lines commencing "From" followed by a space [...]'.
Therefore it is necessary to unescape all lines starting with dash-space
sequences, and not just these that have a dash following this sequence.

Fixes SecurityInnovation#341
mgorny added a commit to mgorny/PGPy that referenced this issue Sep 8, 2020
@mgorny
Fix dash escaping to be applied unconditionally
59c4050 
According to RFC 4880, 'an implementation MAY dash-escape any line,
SHOULD dash-escape lines commencing "From" followed by a space [...]'.
Therefore it is necessary to unescape all lines starting with dash-space
sequences, and not just these that have a dash following this sequence.

Fixes SecurityInnovation#341

Signed-off-by: Michał Górny <mgorny@gentoo.org>
@J-M0 J-M0 closed this as completed in #342 Sep 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix dash un-escaping to be applied unconditionally mgorny/PGPy
1 participant
@mgorny