1
0
mirror of https://github.com/moparisthebest/mail synced 2024-11-21 08:34:59 -05:00

Merge pull request #357 from whiteout-io/audit/WO-03-014

[WO-03-014] Avoid unsinged content spoofing attack
This commit is contained in:
Tankred Hase 2015-05-21 17:25:35 +02:00
commit 76f770a12b
2 changed files with 13 additions and 1 deletions

View File

@ -1595,7 +1595,7 @@ Email.prototype._extractBody = function(message) {
}
// any content before/after the PGP block will be discarded, untrusted attachments and html is ignored
var clearSignedMatch = /^-{5}BEGIN PGP SIGNED MESSAGE-{5}\nHash:[ ][^\n]+\n(?:[A-Za-z]+:[ ][^\n]+\n)*\n([\s\S]*)\n-{5}BEGIN PGP SIGNATURE-{5}[\S\s]*-{5}END PGP SIGNATURE-{5}$/im.exec(body);
var clearSignedMatch = /^-{5}BEGIN PGP SIGNED MESSAGE-{5}\nHash:[ ][^\n]+\n(?:[A-Za-z]+:[ ][^\n]+\n)*\n([\s\S]*?)\n-{5}BEGIN PGP SIGNATURE-{5}[\S\s]*-{5}END PGP SIGNATURE-{5}$/im.exec(body);
if (clearSignedMatch) {
// PGP/INLINE signed
message.signed = true;

View File

@ -100,6 +100,10 @@ describe('Email DAO integration tests', function() {
}, {
raw: 'Message-id: <foobar>\r\nSubject: moveme\r\n\r\nmoveme!',
uid: 900
}, {
description: "Thunderbird (no attachment - PGP/INLINE): Signed w/ unsigned content spoofing attack",
raw: "Message-ID: <53A87B12.9010706@gmail.com>\r\nDate: Mon, 23 Jun 2014 21:08:02 +0200\r\nFrom: Andris Testbox2 <safewithme.testuser@gmail.com>\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.2.0\r\nMIME-Version: 1.0\r\nTo: safewithme.testuser@gmail.com\r\nSubject: test6\r\nX-Enigmail-Version: 1.6\r\nContent-Type: text/plain; charset=ISO-8859-1\r\nContent-Transfer-Encoding: 7bit\r\n\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\ntest6\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Darwin)\r\nComment: GPGTools - https://gpgtools.org\r\nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/\r\n\r\niQEcBAEBCgAGBQJTqHsSAAoJENf7k/zfv8I8wz4H/RWo1qJvvJtMl7GyqGGbaByX\r\n/D7/yWJzMdE0Y7J/tHIexQ/sZnmcDlHG0mtJKgI7EOh2EyV+r+78vF71Mlc+bg8g\r\n3B4TKyp0QU1Pb6SETG//FtKrU7SnkjKujHvRMpzcOcm0ZLBDpmftyWLvp9Dg3KOF\r\n5sMBGpJRn1pqX2DxXZtc1rYOmSAaxFI5jewPws0DCDkLDGp9gLyusNeDHkmAT4AG\r\nDqsDPQvW0R4Sy7aQFT7GjrdnCiLyikynkocUpR95fDnjHJ6Xbyj2Yj9/ofewPQ//\r\nMq39sIYbcqlDBAhsOlii3ekdzLS4xEOkvtFoD4pufyLj3pYY60FG4bPygcccYkI=\r\n=IkRV\r\n-----END PGP SIGNATURE-----\r\n\r\nTHIS IS UNSINGED CONTENT AND MUST NOT BE SHOWN\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n-----END PGP SIGNATURE-----\r\n",
uid: 910
}];
imapFolders = {
@ -563,6 +567,14 @@ describe('Email DAO integration tests', function() {
done();
});
});
it('should parse Thunderbird (no attachment): Signed w/ PGP/INLINE including unsigned content spoofing attack', function() {
expect(inbox.messages[19].encrypted).to.be.false;
expect(inbox.messages[19].signed).to.be.true;
expect(inbox.messages[19].signaturesValid).to.be.true;
expect(inbox.messages[19].attachments.length).to.equal(0);
expect(inbox.messages[19].body).to.equal('test6');
});
});
});