From 4495df0f42592aba6768d6050bce07d00062182d Mon Sep 17 00:00:00 2001 From: Tom James Holub Date: Sat, 25 Nov 2017 10:57:41 +0800 Subject: [PATCH] improve armor header validation + tests | #598 --- src/encoding/armor.js | 2 +- test/general/armor.js | 28 ++++++++++++++++++++++------ 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/src/encoding/armor.js b/src/encoding/armor.js index 6c175393..8db6ff36 100644 --- a/src/encoding/armor.js +++ b/src/encoding/armor.js @@ -224,7 +224,7 @@ function splitHeaders(text) { */ function verifyHeaders(headers) { for (var i = 0; i < headers.length; i++) { - if (!/^[^:\s]+: .+$/.test(headers[i])) { + if (!/^([^\s:]|[^\s:][^:]*[^\s:]): .+$/.test(headers[i])) { throw new Error('Improperly formatted armor header: ' + headers[i]); } if (config.debug && !/^(Version|Comment|MessageID|Hash|Charset): .+$/.test(headers[i])) { diff --git a/test/general/armor.js b/test/general/armor.js index 2644abea..0811d69c 100644 --- a/test/general/armor.js +++ b/test/general/armor.js @@ -8,15 +8,17 @@ var chai = require('chai'), describe("ASCII armor", function() { - function getArmor(headers) { + function getArmor(headers, signatureHeaders) { return ['-----BEGIN PGP SIGNED MESSAGE-----'] .concat(headers) .concat( ['', 'sign this', - '-----BEGIN PGP SIGNATURE-----', - 'Version: GnuPG v2.0.22 (GNU/Linux)', - '', + '-----BEGIN PGP SIGNATURE-----'] + ) + .concat(signatureHeaders || ['Version: GnuPG v2.0.22 (GNU/Linux)']) + .concat( + ['', 'iJwEAQECAAYFAlMrPj0ACgkQ4IT3RGwgLJfYkQQAgHMQieazCVdfGAfzQM69Egm5', 'HhcQszODD898wpoGCHgiNdNo1+5nujQAtXnkcxM+Vf7onfbTvUqut/siyO3fzqhK', 'LQ9DiQUwJMBE8nOwVR7Mpc4kLNngMTNaHAjZaVaDpTCrklPY+TPHIZnu0B6Ur+6t', @@ -100,18 +102,32 @@ describe("ASCII armor", function() { expect(msg).to.be.an.instanceof(openpgp.cleartext.CleartextMessage); }); - it('Exception if improperly formatted armor header', function () { + it('Exception if improperly formatted armor header - plaintext section', function () { var msg = getArmor(['Hash:SHA256']); msg = openpgp.cleartext.readArmored.bind(null, msg); expect(msg).to.throw(Error, /Improperly formatted armor header/); msg = getArmor(['Ha sh: SHA256']); msg = openpgp.cleartext.readArmored.bind(null, msg); - expect(msg).to.throw(Error, /Improperly formatted armor header/); + expect(msg).to.throw(Error, /Only "Hash" header allowed in cleartext signed message/); msg = getArmor(['Hash SHA256']); msg = openpgp.cleartext.readArmored.bind(null, msg); expect(msg).to.throw(Error, /Improperly formatted armor header/); }); + it('Exception if improperly formatted armor header - signature section', function () { + [' Space: leading', 'Space : trailing', 'Space :switched', ': empty', 'none', 'Space:missing'].forEach(function (invalidHeader) { + expect(openpgp.cleartext.readArmored.bind(null, getArmor(['Hash: SHA1'], [invalidHeader]))).to.throw(Error, /Improperly formatted armor header/); + }); + }); + + it('Ignore unknown armor header - signature section', function () { + var validHeaders = ['Version: BCPG C# v1.7.4114.6375', 'Independent Reserve Pty. Ltd. 2017: 1.0.0.0']; + expect(openpgp.cleartext.readArmored(getArmor(['Hash: SHA1'], validHeaders))).to.be.an.instanceof(openpgp.cleartext.CleartextMessage); + ['A: Hello', 'Ab: 1.2.3', 'Abcd: #!/yah', 'Acd 123 5.6.$.8: Hello', '_: Hello', '*: Hello', '* & ## ?? ()(): Hello', '( ): Weird'].forEach(function (validHeader) { + expect(openpgp.cleartext.readArmored(getArmor(['Hash: SHA1'], [validHeader]))).to.be.an.instanceof(openpgp.cleartext.CleartextMessage); + }); + }); + it('Exception if wrong armor header type', function () { var msg = ['-----BEGIN PGP SIGNED MESSAGE\u2010\u2010\u2010\u2010\u2010\nHash:SHA1\n\nIs this properly-----',