Merge #13479: contrib: Fix CVE-2018-12356 by hardening the regex
9e2e5626da
Fix CVE-2018-12356 by hardening the regex. (Loganaden Velvindron)
Pull request description:
Detailed write-up here:
https://neopg.io/blog/pass-signature-spoof/
Tree-SHA512: 2020474ff4c7b5e7f1bea932c63da62aca48d3dc6dcd04507afefad6c40f2977ed2d2916defe2e8e7936a2d498125c578077870147954a7af9b29b823cbb0b10
This commit is contained in:
commit
fa2ea37940
|
@ -57,7 +57,7 @@ if ! $VALID; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
if $VALID && $REVSIG; then
|
if $VALID && $REVSIG; then
|
||||||
printf '%s\n' "$INPUT" | gpg --trust-model always "$@" 2>/dev/null | grep "\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)"
|
printf '%s\n' "$INPUT" | gpg --trust-model always "$@" 2>/dev/null | grep "^\[GNUPG:\] \(NEWSIG\|SIG_ID\|VALIDSIG\)"
|
||||||
echo "$GOODREVSIG"
|
echo "$GOODREVSIG"
|
||||||
else
|
else
|
||||||
printf '%s\n' "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
|
printf '%s\n' "$INPUT" | gpg --trust-model always "$@" 2>/dev/null
|
||||||
|
|
Loading…
Reference in New Issue