Merge pull request #338 from whiteout-io/audit/WO-03-025

[WO-03-025] Unescape dashes in signed cleartext
This commit is contained in:
Felix Hammerl 2015-05-09 18:15:49 +02:00
commit 4e0388b349
2 changed files with 39 additions and 1 deletions

View File

@ -1598,7 +1598,7 @@ Email.prototype._extractBody = function(message) {
// PGP/INLINE signed
message.signed = true;
message.clearSignedMessage = clearSignedMatch[0];
body = clearSignedMatch[1];
body = (clearSignedMatch[1] || '').replace(/^- /gm, ''); // remove dash escaping https://tools.ietf.org/html/rfc4880#section-7.1
}
if (!message.signed) {

View File

@ -953,6 +953,44 @@ describe('Email DAO unit tests', function() {
expect(message.loadingBody).to.be.true;
});
it('should unescape dashes from signed pgp/inline', function(done) {
var expected = 'normal line\ndashed line 1\ndashed line 2';
var pt = '-----BEGIN PGP SIGNED MESSAGE-----\nHash: WTFHASH\n\nnormal line\n- dashed line 1\n- dashed line 2\n-----BEGIN PGP SIGNATURE----------END PGP SIGNATURE-----';
var message = {
uid: uid,
from: [{
address: 'asdasdasd'
}]
};
localListStub.returns(resolves([{
uid: uid,
bodyParts: [{
type: 'text',
content: pt
}]
}]));
keychainStub.getReceiverPublicKey.withArgs(message.from[0].address).returns(resolves(mockKeyPair.publicKey));
pgpStub.verifyClearSignedMessage.withArgs(pt, mockKeyPair.publicKey.publicKey).returns(resolves(true));
dao.getBody({
messages: [message],
folder: inboxFolder
}).then(function() {
expect(message.body).to.equal(expected);
expect(message.signed).to.be.true;
expect(message.signaturesValid).to.be.true;
expect(message.loadingBody).to.be.false;
expect(localListStub.calledOnce).to.be.true;
expect(pgpStub.verifyClearSignedMessage.calledOnce).to.be.true;
expect(keychainStub.getReceiverPublicKey.calledOnce).to.be.true;
done();
});
expect(message.loadingBody).to.be.true;
});
it('should stream from imap and set body', function(done) {
var body = 'bender is great! bender is great!';
var uid = 1234;