Doc fixes.

Add more files to POTFILES.
Protect against malloc bombs.

5 files changed, 109 insertions, 13 deletions

diff --git a/g10/ChangeLog b/g10/ChangeLog
index 9e6602c6e..dba73c96e 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,11 @@
+2007-12-12  David Shaw  <dshaw@jabberwocky.com>  (wk)
+
+	* trustdb.c (sanitize_regexp): New.  Protect against dangerous
+	regexps (malloc bombs) by force-commenting any characters aside
+	from the ones we explicitly want.
+	(check_regexp): Use it here before passing the regexp to
+	regcomp().
+
 2007-12-12  Werner Koch  <wk@g10code.com>
 
 	* misc.c (map_cipher_openpgp_to_gcry): New.  Used to map Camellia
diff --git a/g10/trustdb.c b/g10/trustdb.c
index 62eafba0d..ff218ad80 100644
--- a/g10/trustdb.c
+++ b/g10/trustdb.c
@@ -1,6 +1,6 @@
 /* trustdb.c
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004,
- *               2005 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
+ *               2007 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -1745,6 +1745,71 @@ clean_key(KBNODE keyblock,int noisy,int self_only,
 		    uids_cleaned,sigs_cleaned);
 }
 
+/* Returns a sanitized copy of the regexp (which might be "", but not
+   NULL). */
+#ifndef DISABLE_REGEX
+static char *
+sanitize_regexp(const char *old)
+{
+  size_t start=0,len=strlen(old),idx=0;
+  int escaped=0,standard_bracket=0;
+  char *new=xmalloc((len*2)+1); /* enough to \-escape everything if we
+				   have to */
+
+  /* There are basically two commonly-used regexps here.  GPG and most
+     versions of PGP use "<[^>]+[@.]example\.com>$" and PGP (9)
+     command line uses "example.com" (i.e. whatever the user specfies,
+     and we can't expect users know to use "\." instead of ".").  So
+     here are the rules: we're allowed to start with "<[^>]+[@.]" and
+     end with ">$" or start and end with nothing.  In between, the
+     only legal regex character is ".", and everything else gets
+     escaped.  Part of the gotcha here is that some regex packages
+     allow more than RFC-4880 requires.  For example, 4880 has no "{}"
+     operator, but GNU regex does.  Commenting removes these operators
+     from consideration.  A possible future enhancement is to use
+     commenting to effectively back off a given regex to the Henry
+     Spencer syntax in 4880. -dshaw */
+
+  /* Are we bracketed between "<[^>]+[@.]" and ">$" ? */
+  if(len>=12 && strncmp(old,"<[^>]+[@.]",10)==0
+     && old[len-2]=='>' && old[len-1]=='$')
+    {
+      strcpy(new,"<[^>]+[@.]");
+      idx=strlen(new);
+      standard_bracket=1;
+      start+=10;
+      len-=2;
+    }
+
+  /* Walk the remaining characters and ensure that everything that is
+     left is not an operational regex character. */
+  for(;start<len;start++)
+    {
+      if(!escaped && old[start]=='\\')
+	escaped=1;
+      else if(!escaped && old[start]!='.')
+	new[idx++]='\\';
+      else
+	escaped=0;
+
+      new[idx++]=old[start];
+    }
+
+  new[idx]='\0';
+
+  /* Note that the (sub)string we look at might end with a bare "\".
+     If it does, leave it that way.  If the regexp actually ended with
+     ">$", then it was escaping the ">" and is fine.  If the regexp
+     actually ended with the bare "\", then it's an illegal regexp and
+     regcomp should kick it out. */
+
+  if(standard_bracket)
+    strcat(new,">$");
+
+  return new;
+}
+#endif /*!DISABLE_REGEX*/
+
 /* Used by validate_one_keyblock to confirm a regexp within a trust
    signature.  Returns 1 for match, and 0 for no match or regex
    error. */
@@ -1755,23 +1820,35 @@ check_regexp(const char *expr,const char *string)
   /* When DISABLE_REGEX is defined, assume all regexps do not
      match. */
   return 0;
-#elif defined(__riscos__)
-  return riscos_check_regexp(expr, string, DBG_TRUST);
 #else
   int ret;
-  regex_t pat;
+  char *regexp;
 
-  if(regcomp(&pat,expr,REG_ICASE|REG_NOSUB|REG_EXTENDED)!=0)
-    return 0;
+  regexp=sanitize_regexp(expr);
 
-  ret=regexec(&pat,string,0,NULL,0);
+#ifdef __riscos__
+  ret=riscos_check_regexp(expr, string, DBG_TRUST);
+#else
+  {
+    regex_t pat;
 
-  regfree(&pat);
+    ret=regcomp(&pat,regexp,REG_ICASE|REG_NOSUB|REG_EXTENDED);
+    if(ret==0)
+      {
+	ret=regexec(&pat,string,0,NULL,0);
+	regfree(&pat);
+	ret=(ret==0);
+      }
+  }
+#endif
 
   if(DBG_TRUST)
-    log_debug("regexp `%s' on `%s': %s\n",expr,string,ret==0?"YES":"NO");
+    log_debug("regexp `%s' (`%s') on `%s': %s\n",
+	      regexp,expr,string,ret==0?"YES":"NO");
+
+  xfree(regexp);
 
-  return (ret==0);
+  return ret;
 #endif
 }
 
diff --git a/po/ChangeLog b/po/ChangeLog
index aeb458aa6..e3f450244 100644
--- a/po/ChangeLog
+++ b/po/ChangeLog
@@ -1,3 +1,7 @@
+2007-12-12  Werner Koch  <wk@g10code.com>
+
+	* POTFILES.in: Add a couple of missing files.
+
 2007-12-03  Jakub Bogusz  <qboosh@pld-linux.org>  (wk)
 
 	* pl.po: Updated.  Received through entry bug#856.
diff --git a/po/POTFILES.in b/po/POTFILES.in
index a991fb49d..033fbeb08 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -16,6 +16,9 @@ common/simple-pwquery.c
 common/sysutils.c
 common/yesno.c
 common/miscellaneous.c
+common/asshelp.c
+common/audit.c
+common/helpfile.c
 
 g10/armor.c
 g10/build-packet.c
@@ -69,6 +72,7 @@ kbx/kbxutil.c
 
 scd/app-nks.c
 scd/app-openpgp.c
+scd/app-dinsig.c
 scd/scdaemon.c
 
 sm/base64.c
@@ -79,6 +83,7 @@ sm/certcheck.c
 sm/certdump.c
 sm/certlist.c
 sm/certreqgen.c
+sm/certreqgen-ui.c
 sm/decrypt.c
 sm/delete.c
 sm/encrypt.c
@@ -97,3 +102,5 @@ tools/gpgconf-comp.c
 tools/gpgconf.c
 tools/no-libgcrypt.c
 tools/symcryptrun.c
+tools/gpg-check-pattern.c
+
diff --git a/tools/gpg-connect-agent.c b/tools/gpg-connect-agent.c
index e0abaa9c9..57eed64f0 100644
--- a/tools/gpg-connect-agent.c
+++ b/tools/gpg-connect-agent.c
@@ -1690,8 +1690,8 @@ handle_inquire (assuan_context_t ctx, char *line)
   if (*line)
     *line++ = 0;
 
-  /* Now match it against our list. he second loop is todetect the
-     match all entry. **/
+  /* Now match it against our list.  The second loop is there to
+     detect the match-all entry. */
   for (d=definq_list; d; d = d->next)
     if (d->name && !strcmp (d->name, name))
         break;