diff options
-rw-r--r-- | g10/ChangeLog | 8 | ||||
-rw-r--r-- | g10/trustdb.c | 99 | ||||
-rw-r--r-- | po/ChangeLog | 4 | ||||
-rw-r--r-- | po/POTFILES.in | 7 | ||||
-rw-r--r-- | tools/gpg-connect-agent.c | 4 |
5 files changed, 109 insertions, 13 deletions
diff --git a/g10/ChangeLog b/g10/ChangeLog index 9e6602c6e..dba73c96e 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,11 @@ +2007-12-12 David Shaw <dshaw@jabberwocky.com> (wk) + + * trustdb.c (sanitize_regexp): New. Protect against dangerous + regexps (malloc bombs) by force-commenting any characters aside + from the ones we explicitly want. + (check_regexp): Use it here before passing the regexp to + regcomp(). + 2007-12-12 Werner Koch <wk@g10code.com> * misc.c (map_cipher_openpgp_to_gcry): New. Used to map Camellia diff --git a/g10/trustdb.c b/g10/trustdb.c index 62eafba0d..ff218ad80 100644 --- a/g10/trustdb.c +++ b/g10/trustdb.c @@ -1,6 +1,6 @@ /* trustdb.c - * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, - * 2005 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, + * 2007 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -1745,6 +1745,71 @@ clean_key(KBNODE keyblock,int noisy,int self_only, uids_cleaned,sigs_cleaned); } +/* Returns a sanitized copy of the regexp (which might be "", but not + NULL). */ +#ifndef DISABLE_REGEX +static char * +sanitize_regexp(const char *old) +{ + size_t start=0,len=strlen(old),idx=0; + int escaped=0,standard_bracket=0; + char *new=xmalloc((len*2)+1); /* enough to \-escape everything if we + have to */ + + /* There are basically two commonly-used regexps here. GPG and most + versions of PGP use "<[^>]+[@.]example\.com>$" and PGP (9) + command line uses "example.com" (i.e. whatever the user specfies, + and we can't expect users know to use "\." instead of "."). So + here are the rules: we're allowed to start with "<[^>]+[@.]" and + end with ">$" or start and end with nothing. In between, the + only legal regex character is ".", and everything else gets + escaped. Part of the gotcha here is that some regex packages + allow more than RFC-4880 requires. For example, 4880 has no "{}" + operator, but GNU regex does. Commenting removes these operators + from consideration. A possible future enhancement is to use + commenting to effectively back off a given regex to the Henry + Spencer syntax in 4880. -dshaw */ + + /* Are we bracketed between "<[^>]+[@.]" and ">$" ? */ + if(len>=12 && strncmp(old,"<[^>]+[@.]",10)==0 + && old[len-2]=='>' && old[len-1]=='$') + { + strcpy(new,"<[^>]+[@.]"); + idx=strlen(new); + standard_bracket=1; + start+=10; + len-=2; + } + + /* Walk the remaining characters and ensure that everything that is + left is not an operational regex character. */ + for(;start<len;start++) + { + if(!escaped && old[start]=='\\') + escaped=1; + else if(!escaped && old[start]!='.') + new[idx++]='\\'; + else + escaped=0; + + new[idx++]=old[start]; + } + + new[idx]='\0'; + + /* Note that the (sub)string we look at might end with a bare "\". + If it does, leave it that way. If the regexp actually ended with + ">$", then it was escaping the ">" and is fine. If the regexp + actually ended with the bare "\", then it's an illegal regexp and + regcomp should kick it out. */ + + if(standard_bracket) + strcat(new,">$"); + + return new; +} +#endif /*!DISABLE_REGEX*/ + /* Used by validate_one_keyblock to confirm a regexp within a trust signature. Returns 1 for match, and 0 for no match or regex error. */ @@ -1755,23 +1820,35 @@ check_regexp(const char *expr,const char *string) /* When DISABLE_REGEX is defined, assume all regexps do not match. */ return 0; -#elif defined(__riscos__) - return riscos_check_regexp(expr, string, DBG_TRUST); #else int ret; - regex_t pat; + char *regexp; - if(regcomp(&pat,expr,REG_ICASE|REG_NOSUB|REG_EXTENDED)!=0) - return 0; + regexp=sanitize_regexp(expr); - ret=regexec(&pat,string,0,NULL,0); +#ifdef __riscos__ + ret=riscos_check_regexp(expr, string, DBG_TRUST); +#else + { + regex_t pat; - regfree(&pat); + ret=regcomp(&pat,regexp,REG_ICASE|REG_NOSUB|REG_EXTENDED); + if(ret==0) + { + ret=regexec(&pat,string,0,NULL,0); + regfree(&pat); + ret=(ret==0); + } + } +#endif if(DBG_TRUST) - log_debug("regexp `%s' on `%s': %s\n",expr,string,ret==0?"YES":"NO"); + log_debug("regexp `%s' (`%s') on `%s': %s\n", + regexp,expr,string,ret==0?"YES":"NO"); + + xfree(regexp); - return (ret==0); + return ret; #endif } diff --git a/po/ChangeLog b/po/ChangeLog index aeb458aa6..e3f450244 100644 --- a/po/ChangeLog +++ b/po/ChangeLog @@ -1,3 +1,7 @@ +2007-12-12 Werner Koch <wk@g10code.com> + + * POTFILES.in: Add a couple of missing files. + 2007-12-03 Jakub Bogusz <qboosh@pld-linux.org> (wk) * pl.po: Updated. Received through entry bug#856. diff --git a/po/POTFILES.in b/po/POTFILES.in index a991fb49d..033fbeb08 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -16,6 +16,9 @@ common/simple-pwquery.c common/sysutils.c common/yesno.c common/miscellaneous.c +common/asshelp.c +common/audit.c +common/helpfile.c g10/armor.c g10/build-packet.c @@ -69,6 +72,7 @@ kbx/kbxutil.c scd/app-nks.c scd/app-openpgp.c +scd/app-dinsig.c scd/scdaemon.c sm/base64.c @@ -79,6 +83,7 @@ sm/certcheck.c sm/certdump.c sm/certlist.c sm/certreqgen.c +sm/certreqgen-ui.c sm/decrypt.c sm/delete.c sm/encrypt.c @@ -97,3 +102,5 @@ tools/gpgconf-comp.c tools/gpgconf.c tools/no-libgcrypt.c tools/symcryptrun.c +tools/gpg-check-pattern.c + diff --git a/tools/gpg-connect-agent.c b/tools/gpg-connect-agent.c index e0abaa9c9..57eed64f0 100644 --- a/tools/gpg-connect-agent.c +++ b/tools/gpg-connect-agent.c @@ -1690,8 +1690,8 @@ handle_inquire (assuan_context_t ctx, char *line) if (*line) *line++ = 0; - /* Now match it against our list. he second loop is todetect the - match all entry. **/ + /* Now match it against our list. The second loop is there to + detect the match-all entry. */ for (d=definq_list; d; d = d->next) if (d->name && !strcmp (d->name, name)) break; |