RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://github.com/openpgpjs/openpgpjs/commit/93ca8b62fe04f6942966acae43efdd8e76df4b78 below:

OP-01-019 Cleartext Message Spoofing in Armor Headers (Critical). Fix… · openpgpjs/openpgpjs@93ca8b6 · GitHub

File tree Expand file treeCollapse file tree 2 files changed

+32

-12

lines changed

Filter options

Expand file treeCollapse file tree 2 files changed

+32

-12

lines changed Original file line number Diff line number Diff line change


 @@ -27,58 +27,62 @@ var base64 = require('./base64.js'),

27 27


 config = require('../config');

28 28 29 29

/**

30

-
  * Finds out which Ascii Armoring type is used. This is an internal function

30

+
  * Finds out which Ascii Armoring type is used. Throws error if unknown type.

31

+
  * @private

31 32


  * @param {String} text [String] ascii armored text

32 33


  * @returns {Integer} 0 = MESSAGE PART n of m

33 34


  * 1 = MESSAGE PART n

34 35


  * 2 = SIGNED MESSAGE

35 36


  * 3 = PGP MESSAGE

36 37


  * 4 = PUBLIC KEY BLOCK

37 38


  * 5 = PRIVATE KEY BLOCK

38

-
  * null = unknown

39 39

*/

40 40


 function getType(text) {

41

-
 var reHeader = /^-----([^-]+)-----$\n/m;

41

+
 var reHeader = /^-----BEGIN PGP (MESSAGE, PART \d+\/\d+|MESSAGE, PART \d+|SIGNED MESSAGE|MESSAGE|PUBLIC KEY BLOCK|PRIVATE KEY BLOCK)-----$\n/m;

42 42 43 43


 var header = text.match(reHeader);

44 44 45

+
 if (!header) {

46

+
 throw new Error('Unknow ASCII armor type');

47

+
 }

48 + 45 49


 // BEGIN PGP MESSAGE, PART X/Y

46 50


 // Used for multi-part messages, where the armor is split amongst Y

47 51


 // parts, and this is the Xth part out of Y.

48

-
 if (header[1].match(/BEGIN PGP MESSAGE, PART \d+\/\d+/)) {

52

+
 if (header[1].match(/MESSAGE, PART \d+\/\d+/)) {

49 53


 return enums.armor.multipart_section;

50 54


 } else

51 55


 // BEGIN PGP MESSAGE, PART X

52 56


 // Used for multi-part messages, where this is the Xth part of an

53 57


 // unspecified number of parts. Requires the MESSAGE-ID Armor

54 58


 // Header to be used.

55

-
 if (header[1].match(/BEGIN PGP MESSAGE, PART \d+/)) {

59

+
 if (header[1].match(/MESSAGE, PART \d+/)) {

56 60


 return enums.armor.multipart_last;

57 61 58 62


 } else

59 63


 // BEGIN PGP SIGNATURE

60 64


 // Used for detached signatures, OpenPGP/MIME signatures, and

61 65


 // cleartext signatures. Note that PGP 2.x uses BEGIN PGP MESSAGE

62 66


 // for detached signatures.

63

-
 if (header[1].match(/BEGIN PGP SIGNED MESSAGE/)) {

67

+
 if (header[1].match(/SIGNED MESSAGE/)) {

64 68


 return enums.armor.signed;

65 69 66 70


 } else

67 71


 // BEGIN PGP MESSAGE

68 72


 // Used for signed, encrypted, or compressed files.

69

-
 if (header[1].match(/BEGIN PGP MESSAGE/)) {

73

+
 if (header[1].match(/MESSAGE/)) {

70 74


 return enums.armor.message;

71 75 72 76


 } else

73 77


 // BEGIN PGP PUBLIC KEY BLOCK

74 78


 // Used for armoring public keys.

75

-
 if (header[1].match(/BEGIN PGP PUBLIC KEY BLOCK/)) {

79

+
 if (header[1].match(/PUBLIC KEY BLOCK/)) {

76 80


 return enums.armor.public_key;

77 81 78 82


 } else

79 83


 // BEGIN PGP PRIVATE KEY BLOCK

80 84


 // Used for armoring private keys.

81

-
 if (header[1].match(/BEGIN PGP PRIVATE KEY BLOCK/)) {

85

+
 if (header[1].match(/PRIVATE KEY BLOCK/)) {

82 86


 return enums.armor.private_key;

83 87

84 88


 @@ -277,9 +281,6 @@ function dearmor(text) {

277 281


 text = text.replace(/\r/g, '');

278 282 279 283


 var type = getType(text);

280

-
 if (!type) {

281

-
 throw new Error('Unknow ASCII armor type');

282

-
 }

283 284 284 285


 var splittext = text.split(reSplit);

285 286 Original file line number Diff line number Diff line change


 @@ -112,6 +112,25 @@ describe("ASCII armor", function() {

112 112


 expect(msg).to.throw(Error, /Improperly formatted armor header/);

113 113

});

114 114 115

+
 it('Exception if wrong armor header type', function () {

116

+
 var msg =

117

+
 ['-----BEGIN PGP SIGNED MESSAGE\u2010\u2010\u2010\u2010\u2010\nHash:SHA1\n\nIs this properly-----',

118

+
 '',

119

+
 'sign this',

120

+
 '-----BEGIN PGP SIGNATURE-----',

121

+
 'Version: GnuPG v2.0.22 (GNU/Linux)',

122

+
 '',

123

+
 'iJwEAQECAAYFAlMrPj0ACgkQ4IT3RGwgLJfYkQQAgHMQieazCVdfGAfzQM69Egm5',

124

+
 'HhcQszODD898wpoGCHgiNdNo1+5nujQAtXnkcxM+Vf7onfbTvUqut/siyO3fzqhK',

125

+
 'LQ9DiQUwJMBE8nOwVR7Mpc4kLNngMTNaHAjZaVaDpTCrklPY+TPHIZnu0B6Ur+6t',

126

+
 'skTzzVXIxMYw8ihbHfk=',

127

+
 '=e/eA',

128

+
 '-----END PGP SIGNATURE-----'].join('\n');

129 + 130

+
 msg = openpgp.cleartext.readArmored.bind(null, msg);

131

+
 expect(msg).to.throw(Error, /Unknow ASCII armor type/);

132

+
 });

133 + 115 134

});

116 135 117 136

You can’t perform that action at this time.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4