summaryrefslogtreecommitdiff
path: root/apt-pkg
diff options
context:
space:
mode:
authorDavid Kalnischkies <david@kalnischkies.de>2019-01-28 20:45:02 +0100
committerDavid Kalnischkies <david@kalnischkies.de>2019-01-28 20:45:02 +0100
commit9b840b59cc80a072e14b8adc9d76669a7a50ab87 (patch)
treea3ceb1afc6921c519a33dc35b2bfa6214bd0f363 /apt-pkg
parent93c9a49c1fd378cd0a3b472d68afb3378da145b8 (diff)
Refuse files with lines unexpectedly starting with a dash
We support dash-encoding even if we don't really work with files who would need it as implementations are free to encode every line, but otherwise a line starting with a dash must either be a header we parse explicitly or the file is refused. This is against the RFC which says clients should warn on such files, but given that we aren't expecting any files with dash-started lines to begin with this looks a lot like a we should not continue to touch the file as it smells like an attempt to confuse different parsers by "hiding" headers in-between others. The other slightly more reasonable explanation would be an armor header key starting with a dash, but no existing key does that and it seems unlikely that this could ever happen. Also, it is recommended that clients warn about unknown keys, so new appearance is limited.
Diffstat (limited to 'apt-pkg')
-rw-r--r--apt-pkg/contrib/gpgv.cc46
1 files changed, 37 insertions, 9 deletions
diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc
index 6e4e9b3df..0b595fc4c 100644
--- a/apt-pkg/contrib/gpgv.cc
+++ b/apt-pkg/contrib/gpgv.cc
@@ -297,6 +297,14 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG,
if (found_signatures != 0)
break;
}
+ else if (buf.starts_with("-"))
+ {
+ // the used Radix-64 is not using dash for any value, so a valid line can't
+ // start with one. Header keys could, but no existent one does and seems unlikely.
+ // Instead it smells a lot like a header the parser didn't recognize.
+ apt_error(std::cerr, statusfd, fd, "Detached signature file '%s' contains unexpected line starting with a dash", FileGPG.c_str());
+ local_exit(112);
+ }
}
if (found_signatures == 0 && statusfd != -1)
{
@@ -452,6 +460,10 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile,
return false;
if (buf.empty())
break; // empty line ends the Armor Headers
+ if (buf.starts_with("-"))
+ // § 6.2 says unknown keys should be reported to the user. We don't go that far,
+ // but we assume that there will never be a header key starting with a dash
+ return _error->Error("Clearsigned file '%s' contains unexpected line starting with a dash (%s)", InFile.c_str(), "armor");
if (ContentHeader != nullptr && buf.starts_with("Hash: "))
ContentHeader->push_back(buf.str());
}
@@ -463,17 +475,28 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile,
if (buf.readFrom(in.get(), InFile) == false)
return false;
- if (buf == "-----BEGIN PGP SIGNATURE-----")
+ if (buf.starts_with("-"))
{
- if (buf.writeTo(SignatureFile) == false)
- return false;
- break;
+ if (buf == "-----BEGIN PGP SIGNATURE-----")
+ {
+ if (buf.writeTo(SignatureFile) == false)
+ return false;
+ break;
+ }
+ else if (buf.starts_with("- "))
+ {
+ // we don't have any fields which need to be dash-escaped,
+ // but implementations are free to escape all lines …
+ if (buf.writeTo(ContentFile, first_line == false, false, 2) == false)
+ return false;
+ }
+ else
+ // § 7.1 says a client should warn, but we don't really work with files which
+ // should contain lines starting with a dash, so it is a lot more likely that
+ // this is an attempt to trick our parser vs. gpgv parser into ignoring a header
+ return _error->Error("Clearsigned file '%s' contains unexpected line starting with a dash (%s)", InFile.c_str(), "msg");
}
-
- // we don't have any fields which need to be dash-escaped,
- // but implementations are free to escape all lines …
- auto offset = buf.starts_with("- ") ? 2 : 0;
- if (buf.writeTo(ContentFile, first_line == false, false, offset) == false)
+ else if (buf.writeTo(ContentFile, first_line == false, false) == false)
return false;
first_line = false;
}
@@ -491,6 +514,11 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile,
open_signature = true;
else if (open_signature == false)
return _error->Error("Clearsigned file '%s' contains unsigned lines.", InFile.c_str());
+ else if (buf.starts_with("-"))
+ // the used Radix-64 is not using dash for any value, so a valid line can't
+ // start with one. Header keys could, but no existent one does and seems unlikely.
+ // Instead it smells a lot like a header the parser didn't recognize.
+ return _error->Error("Clearsigned file '%s' contains unexpected line starting with a dash (%s)", InFile.c_str(), "sig");
if (buf.writeTo(SignatureFile) == false)
return false;