diff options
Diffstat (limited to 'apt-pkg/contrib/gpgv.cc')
-rw-r--r-- | apt-pkg/contrib/gpgv.cc | 46 |
1 files changed, 37 insertions, 9 deletions
diff --git a/apt-pkg/contrib/gpgv.cc b/apt-pkg/contrib/gpgv.cc index 6e4e9b3df..0b595fc4c 100644 --- a/apt-pkg/contrib/gpgv.cc +++ b/apt-pkg/contrib/gpgv.cc @@ -297,6 +297,14 @@ void ExecGPGV(std::string const &File, std::string const &FileGPG, if (found_signatures != 0) break; } + else if (buf.starts_with("-")) + { + // the used Radix-64 is not using dash for any value, so a valid line can't + // start with one. Header keys could, but no existent one does and seems unlikely. + // Instead it smells a lot like a header the parser didn't recognize. + apt_error(std::cerr, statusfd, fd, "Detached signature file '%s' contains unexpected line starting with a dash", FileGPG.c_str()); + local_exit(112); + } } if (found_signatures == 0 && statusfd != -1) { @@ -452,6 +460,10 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile, return false; if (buf.empty()) break; // empty line ends the Armor Headers + if (buf.starts_with("-")) + // § 6.2 says unknown keys should be reported to the user. We don't go that far, + // but we assume that there will never be a header key starting with a dash + return _error->Error("Clearsigned file '%s' contains unexpected line starting with a dash (%s)", InFile.c_str(), "armor"); if (ContentHeader != nullptr && buf.starts_with("Hash: ")) ContentHeader->push_back(buf.str()); } @@ -463,17 +475,28 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile, if (buf.readFrom(in.get(), InFile) == false) return false; - if (buf == "-----BEGIN PGP SIGNATURE-----") + if (buf.starts_with("-")) { - if (buf.writeTo(SignatureFile) == false) - return false; - break; + if (buf == "-----BEGIN PGP SIGNATURE-----") + { + if (buf.writeTo(SignatureFile) == false) + return false; + break; + } + else if (buf.starts_with("- ")) + { + // we don't have any fields which need to be dash-escaped, + // but implementations are free to escape all lines … + if (buf.writeTo(ContentFile, first_line == false, false, 2) == false) + return false; + } + else + // § 7.1 says a client should warn, but we don't really work with files which + // should contain lines starting with a dash, so it is a lot more likely that + // this is an attempt to trick our parser vs. gpgv parser into ignoring a header + return _error->Error("Clearsigned file '%s' contains unexpected line starting with a dash (%s)", InFile.c_str(), "msg"); } - - // we don't have any fields which need to be dash-escaped, - // but implementations are free to escape all lines … - auto offset = buf.starts_with("- ") ? 2 : 0; - if (buf.writeTo(ContentFile, first_line == false, false, offset) == false) + else if (buf.writeTo(ContentFile, first_line == false, false) == false) return false; first_line = false; } @@ -491,6 +514,11 @@ bool SplitClearSignedFile(std::string const &InFile, FileFd * const ContentFile, open_signature = true; else if (open_signature == false) return _error->Error("Clearsigned file '%s' contains unsigned lines.", InFile.c_str()); + else if (buf.starts_with("-")) + // the used Radix-64 is not using dash for any value, so a valid line can't + // start with one. Header keys could, but no existent one does and seems unlikely. + // Instead it smells a lot like a header the parser didn't recognize. + return _error->Error("Clearsigned file '%s' contains unexpected line starting with a dash (%s)", InFile.c_str(), "sig"); if (buf.writeTo(SignatureFile) == false) return false; |