summaryrefslogtreecommitdiff
path: root/apt-pkg/contrib/gpgv.cc
diff options
context:
space:
mode:
Diffstat (limited to 'apt-pkg/contrib/gpgv.cc')
-rw-r--r--apt-pkg/contrib/gpgv.cc46
1 files changed, 37 insertions, 9 deletions
diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc
index 6e4e9b3df..0b595fc4c 100644
--- a/apt-pkg/contrib/gpgv.cc
+++ b/apt-pkg/contrib/gpgv.cc
@@ -297,6 +297,14 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG,
if (found_signatures != 0)
break;
}
+ else if (buf.starts_with("-"))
+ {
+ // the used Radix-64 is not using dash for any value, so a valid line can't
+ // start with one. Header keys could, but no existent one does and seems unlikely.
+ // Instead it smells a lot like a header the parser didn't recognize.
+ apt_error(std::cerr, statusfd, fd, "Detached signature file '%s' contains unexpected line starting with a dash", FileGPG.c_str());
+ local_exit(112);
+ }
}
if (found_signatures == 0 && statusfd != -1)
{
@@ -452,6 +460,10 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile,
return false;
if (buf.empty())
break; // empty line ends the Armor Headers
+ if (buf.starts_with("-"))
+ // § 6.2 says unknown keys should be reported to the user. We don't go that far,
+ // but we assume that there will never be a header key starting with a dash
+ return _error->Error("Clearsigned file '%s' contains unexpected line starting with a dash (%s)", InFile.c_str(), "armor");
if (ContentHeader != nullptr && buf.starts_with("Hash: "))
ContentHeader->push_back(buf.str());
}
@@ -463,17 +475,28 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile,
if (buf.readFrom(in.get(), InFile) == false)
return false;
- if (buf == "-----BEGIN PGP SIGNATURE-----")
+ if (buf.starts_with("-"))
{
- if (buf.writeTo(SignatureFile) == false)
- return false;
- break;
+ if (buf == "-----BEGIN PGP SIGNATURE-----")
+ {
+ if (buf.writeTo(SignatureFile) == false)
+ return false;
+ break;
+ }
+ else if (buf.starts_with("- "))
+ {
+ // we don't have any fields which need to be dash-escaped,
+ // but implementations are free to escape all lines …
+ if (buf.writeTo(ContentFile, first_line == false, false, 2) == false)
+ return false;
+ }
+ else
+ // § 7.1 says a client should warn, but we don't really work with files which
+ // should contain lines starting with a dash, so it is a lot more likely that
+ // this is an attempt to trick our parser vs. gpgv parser into ignoring a header
+ return _error->Error("Clearsigned file '%s' contains unexpected line starting with a dash (%s)", InFile.c_str(), "msg");
}
-
- // we don't have any fields which need to be dash-escaped,
- // but implementations are free to escape all lines …
- auto offset = buf.starts_with("- ") ? 2 : 0;
- if (buf.writeTo(ContentFile, first_line == false, false, offset) == false)
+ else if (buf.writeTo(ContentFile, first_line == false, false) == false)
return false;
first_line = false;
}
@@ -491,6 +514,11 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile,
open_signature = true;
else if (open_signature == false)
return _error->Error("Clearsigned file '%s' contains unsigned lines.", InFile.c_str());
+ else if (buf.starts_with("-"))
+ // the used Radix-64 is not using dash for any value, so a valid line can't
+ // start with one. Header keys could, but no existent one does and seems unlikely.
+ // Instead it smells a lot like a header the parser didn't recognize.
+ return _error->Error("Clearsigned file '%s' contains unexpected line starting with a dash (%s)", InFile.c_str(), "sig");
if (buf.writeTo(SignatureFile) == false)
return false;