Do not allow recursive decompression

Co-Authored-By: Heiko Schaefer <heiko@schaefer.name>
rpgp · Feb 19, 2024 · 2ac3027 · 2ac3027
1 parent 5357815
commit 2ac3027
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/src/composed/message/types.rs b/src/composed/message/types.rs
@@ -611,16 +611,29 @@ impl Message {
     }
 
     /// Returns the underlying content and `None` if the message is encrypted.
+    ///
+    /// Decompresses up to one layer of compressed data.
     pub fn get_content(&self) -> Result<Option<Vec<u8>>> {
+        self.get_content_internal(true)
+    }
+
+    /// Returns the underlying content and `None` if the message is encrypted.
+    ///
+    /// If `decompress` is true, may decompress a compressed message.
+    fn get_content_internal(&self, decompress: bool) -> Result<Option<Vec<u8>>> {
         match self {
             Message::Literal(ref data) => Ok(Some(data.data().to_vec())),
             Message::Signed { message, .. } => Ok(message
                 .as_ref()
                 .and_then(|m| m.get_literal())
                 .map(|l| l.data().to_vec())),
             Message::Compressed(data) => {
-                let msg = Message::from_bytes(data.decompress()?)?;
-                msg.get_content()
+                if decompress {
+                    let msg = Message::from_bytes(data.decompress()?)?;
+                    msg.get_content_internal(false)
+                } else {
+                    bail!("Recursive decompression not allowed");
+                }
             }
             Message::Encrypted { .. } => Ok(None),
         }
@@ -991,4 +1004,13 @@ mod tests {
         // verify the signature with alice's signing subkey
         signed_msg.verify(&verify).expect("signature seems bad");
     }
+
+    /// Tests that decompressing compression quine does not result in stack overflow.
+    /// quine.out comes from <https://mumble.net/~campbell/misc/pgp-quine/>
+    /// See <https://mumble.net/~campbell/2013/10/08/compression> for details.
+    #[test]
+    fn test_compression_quine() {
+        let msg = Message::from_bytes(&include_bytes!("../../../tests/quine.out")[..]).unwrap();
+        assert!(msg.get_content().is_err());
+    }
 }
diff --git a/tests/quine.out b/tests/quine.out