mirror of
https://github.com/moparisthebest/mail
synced 2024-11-25 10:22:18 -05:00
Merge pull request #357 from whiteout-io/audit/WO-03-014
[WO-03-014] Avoid unsinged content spoofing attack
This commit is contained in:
commit
76f770a12b
@ -1595,7 +1595,7 @@ Email.prototype._extractBody = function(message) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// any content before/after the PGP block will be discarded, untrusted attachments and html is ignored
|
// any content before/after the PGP block will be discarded, untrusted attachments and html is ignored
|
||||||
var clearSignedMatch = /^-{5}BEGIN PGP SIGNED MESSAGE-{5}\nHash:[ ][^\n]+\n(?:[A-Za-z]+:[ ][^\n]+\n)*\n([\s\S]*)\n-{5}BEGIN PGP SIGNATURE-{5}[\S\s]*-{5}END PGP SIGNATURE-{5}$/im.exec(body);
|
var clearSignedMatch = /^-{5}BEGIN PGP SIGNED MESSAGE-{5}\nHash:[ ][^\n]+\n(?:[A-Za-z]+:[ ][^\n]+\n)*\n([\s\S]*?)\n-{5}BEGIN PGP SIGNATURE-{5}[\S\s]*-{5}END PGP SIGNATURE-{5}$/im.exec(body);
|
||||||
if (clearSignedMatch) {
|
if (clearSignedMatch) {
|
||||||
// PGP/INLINE signed
|
// PGP/INLINE signed
|
||||||
message.signed = true;
|
message.signed = true;
|
||||||
|
@ -100,6 +100,10 @@ describe('Email DAO integration tests', function() {
|
|||||||
}, {
|
}, {
|
||||||
raw: 'Message-id: <foobar>\r\nSubject: moveme\r\n\r\nmoveme!',
|
raw: 'Message-id: <foobar>\r\nSubject: moveme\r\n\r\nmoveme!',
|
||||||
uid: 900
|
uid: 900
|
||||||
|
}, {
|
||||||
|
description: "Thunderbird (no attachment - PGP/INLINE): Signed w/ unsigned content spoofing attack",
|
||||||
|
raw: "Message-ID: <53A87B12.9010706@gmail.com>\r\nDate: Mon, 23 Jun 2014 21:08:02 +0200\r\nFrom: Andris Testbox2 <safewithme.testuser@gmail.com>\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.2.0\r\nMIME-Version: 1.0\r\nTo: safewithme.testuser@gmail.com\r\nSubject: test6\r\nX-Enigmail-Version: 1.6\r\nContent-Type: text/plain; charset=ISO-8859-1\r\nContent-Transfer-Encoding: 7bit\r\n\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA512\r\n\r\ntest6\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.13 (Darwin)\r\nComment: GPGTools - https://gpgtools.org\r\nComment: Using GnuPG with Thunderbird - http://www.enigmail.net/\r\n\r\niQEcBAEBCgAGBQJTqHsSAAoJENf7k/zfv8I8wz4H/RWo1qJvvJtMl7GyqGGbaByX\r\n/D7/yWJzMdE0Y7J/tHIexQ/sZnmcDlHG0mtJKgI7EOh2EyV+r+78vF71Mlc+bg8g\r\n3B4TKyp0QU1Pb6SETG//FtKrU7SnkjKujHvRMpzcOcm0ZLBDpmftyWLvp9Dg3KOF\r\n5sMBGpJRn1pqX2DxXZtc1rYOmSAaxFI5jewPws0DCDkLDGp9gLyusNeDHkmAT4AG\r\nDqsDPQvW0R4Sy7aQFT7GjrdnCiLyikynkocUpR95fDnjHJ6Xbyj2Yj9/ofewPQ//\r\nMq39sIYbcqlDBAhsOlii3ekdzLS4xEOkvtFoD4pufyLj3pYY60FG4bPygcccYkI=\r\n=IkRV\r\n-----END PGP SIGNATURE-----\r\n\r\nTHIS IS UNSINGED CONTENT AND MUST NOT BE SHOWN\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n-----END PGP SIGNATURE-----\r\n",
|
||||||
|
uid: 910
|
||||||
}];
|
}];
|
||||||
|
|
||||||
imapFolders = {
|
imapFolders = {
|
||||||
@ -563,6 +567,14 @@ describe('Email DAO integration tests', function() {
|
|||||||
done();
|
done();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('should parse Thunderbird (no attachment): Signed w/ PGP/INLINE including unsigned content spoofing attack', function() {
|
||||||
|
expect(inbox.messages[19].encrypted).to.be.false;
|
||||||
|
expect(inbox.messages[19].signed).to.be.true;
|
||||||
|
expect(inbox.messages[19].signaturesValid).to.be.true;
|
||||||
|
expect(inbox.messages[19].attachments.length).to.equal(0);
|
||||||
|
expect(inbox.messages[19].body).to.equal('test6');
|
||||||
|
});
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user