Merge pull request #338 from whiteout-io/audit/WO-03-025

[WO-03-025] Unescape dashes in signed cleartext
2024-11-22 08:52:15 -05:00 · 2015-05-09 18:15:49 +02:00 · 2015-05-09 18:15:49 +02:00 · 4e0388b349
commit 4e0388b349
parent add1cd3919 6963ea33e9
2 changed files with 39 additions and 1 deletions
--- a/src/js/email/email.js
+++ b/src/js/email/email.js
@ -1598,7 +1598,7 @@ Email.prototype._extractBody = function(message) {
            // PGP/INLINE signed
            message.signed = true;
            message.clearSignedMessage = clearSignedMatch[0];
-            body = clearSignedMatch[1];
+            body = (clearSignedMatch[1] || '').replace(/^- /gm, ''); // remove dash escaping https://tools.ietf.org/html/rfc4880#section-7.1
        }
        if (!message.signed) {
--- a/test/unit/email/email-dao-test.js
+++ b/test/unit/email/email-dao-test.js
@ -953,6 +953,44 @@ describe('Email DAO unit tests', function() {
            expect(message.loadingBody).to.be.true;
        });
        it('should unescape dashes from signed pgp/inline', function(done) {
            var expected = 'normal line\ndashed line 1\ndashed line 2';
            var pt = '-----BEGIN PGP SIGNED MESSAGE-----\nHash: WTFHASH\n\nnormal line\n- dashed line 1\n- dashed line 2\n-----BEGIN PGP SIGNATURE----------END PGP SIGNATURE-----';
            var message = {
                uid: uid,
                from: [{
                    address: 'asdasdasd'
                }]
            };
            localListStub.returns(resolves([{
                uid: uid,
                bodyParts: [{
                    type: 'text',
                    content: pt
                }]
            }]));
            keychainStub.getReceiverPublicKey.withArgs(message.from[0].address).returns(resolves(mockKeyPair.publicKey));
            pgpStub.verifyClearSignedMessage.withArgs(pt, mockKeyPair.publicKey.publicKey).returns(resolves(true));
            dao.getBody({
                messages: [message],
                folder: inboxFolder
            }).then(function() {
                expect(message.body).to.equal(expected);
                expect(message.signed).to.be.true;
                expect(message.signaturesValid).to.be.true;
                expect(message.loadingBody).to.be.false;
                expect(localListStub.calledOnce).to.be.true;
                expect(pgpStub.verifyClearSignedMessage.calledOnce).to.be.true;
                expect(keychainStub.getReceiverPublicKey.calledOnce).to.be.true;
                done();
            });
            expect(message.loadingBody).to.be.true;
        });
        it('should stream from imap and set body', function(done) {
            var body = 'bender is great! bender is great!';
            var uid = 1234;