Merge pull request #118 from whiteout-io/dev/WO-587

[WO-587] Explicitly include arbitrary headers in clearsigned regex
2024-11-26 19:02:20 -05:00 · 2014-09-12 18:09:47 +02:00 · 2014-09-12 18:09:47 +02:00 · 2caeaeea3f
commit 2caeaeea3f
parent 3cfbad1498 ad2b6d1237
2 changed files with 6 additions and 5 deletions
--- a/src/js/dao/email-dao.js
+++ b/src/js/dao/email-dao.js
@ -772,11 +772,11 @@ define(function(require) {
            /*
             * any content before/after the PGP block will be discarded,
             * "-----BEGIN/END (...)-----" must be at the start/end of a line,
-             * after \n\n the signed payload begins,
+             * after the hash (and possibly other) arbitrary headers, the signed payload begins,
             * the text is followed by a final \n and then the pgp signature begins
             * untrusted attachments and html is ignored
             */
-            var clearSignedMatch = /^-{5}BEGIN PGP SIGNED MESSAGE-{5}[\s\S]*\n\n([\s\S]*)\n-{5}BEGIN PGP SIGNATURE-{5}[\S\s]*-{5}END PGP SIGNATURE-{5}$/im.exec(body);
+            var clearSignedMatch = /^-{5}BEGIN PGP SIGNED MESSAGE-{5}\nHash:[ ][^\n]+\n(?:[A-Za-z]+:[ ][^\n]+\n)*\n([\s\S]*)\n-{5}BEGIN PGP SIGNATURE-{5}[\S\s]*-{5}END PGP SIGNATURE-{5}$/im.exec(body);
            if (clearSignedMatch) {
                // PGP/INLINE signed
                message.signed = true;
--- a/test/unit/email-dao-test.js
+++ b/test/unit/email-dao-test.js
@ -1010,9 +1010,10 @@ define(function(require) {
                });

                it('should read a signed pgp/inline from the device', function(done) {
-                    var message, pt;
+                    var message, pt, expected;

-                    pt = '-----BEGIN PGP SIGNED MESSAGE-----\n\ntest6\n-----BEGIN PGP SIGNATURE----------END PGP SIGNATURE-----';
+                    expected = 'Lorem ipsum Aliquip tempor veniam proident.\n\nafguab;igab;igubalw\n\nLorem ipsum Dolor sed irure sint in non.\n\n\n';
+                    pt = '-----BEGIN PGP SIGNED MESSAGE-----\nHash: WTFHASH\n\n' + expected + '\n-----BEGIN PGP SIGNATURE----------END PGP SIGNATURE-----';
                    message = {
                        uid: uid,
                        from: [{
@ -1036,7 +1037,7 @@ define(function(require) {
                        expect(err).to.not.exist;

                        expect(msg).to.equal(message);
-                        expect(msg.body).to.equal('test6');
+                        expect(msg.body).to.equal(expected);
                        expect(message.signed).to.be.true;
                        expect(message.signaturesValid).to.be.true;
                        expect(message.loadingBody).to.be.false;