View Issue Details

IDProjectCategoryView StatusLast Update
0001317Main CAcert WebsiteGPG/PGPpublic2021-08-26 11:41
Reporterjanmaco Assigned ToEva  
PrioritynormalSeveritymajorReproducibilityalways
Status needs reviewResolutionopen 
Product Version2014 Q3 
Target Version2015 Q1 
Summary0001317: Weak email sanity check when adding a new PGP key
DescriptionI tried to sign a PGP key with an email address containing a + (like test+a@example.tld). Using such an e-mail results in an error (No valid uid).
Steps To ReproduceCreate a PGP key with an email address containing a '+' -> paste it to the "Add PGP key" form
Additional InformationA cause may be located in incomplete regexes;
www/gpg.php:381
 if (preg_match("/<([\w.-]*\@[\w.-]*)>/", $bits[9],$match)) {
                    //echo "Found: ".$match[1];
                    $mail = trim(gpg_hex2bin($match[1]));
                }
TagsNo tags attached.
Reviewed byBenBE
Test InstructionsTry to sign a mail address with a plus sign in it.

Activities

janmaco

2015-01-14 10:59

updater   ~0005237

Last edited: 2015-01-14 11:17

I have a patch for this bug here: https://github.com/yellowant/cacert-devel/commit/1439176e62ab63d6ab522b07ca18213e56c24bf4

Eva

2015-02-03 21:25

updater   ~0005305

I created a pgp key for the address 1317+asterix@acme.com and added it to the account.

The key was signed. -> ok
The key contained the signature -> ok
The key contained the correct name and email address -> ok
The key was displayed correctly in the "view" overview for pgp keys -> ok

=> ok

(I did not test other special characters as only "+" seems to be added)

felixd

2015-03-03 21:09

updater   ~0005342

I got a PGP key signed with an email address containing a "+". Keys with an incorrect email address still get rejected.

=> PASSED

Eva

2015-03-03 21:14

updater   ~0005345

As there are two successfull tests, please do your review(s)

alkas

2021-08-26 11:41

manager   ~0006080

The path proposed by 0001317:0005237 is NOT performed (on the testserver only?)

Issue History

Date Modified Username Field Change
2014-10-29 00:02 janmaco New Issue
2014-10-29 00:06 janmaco Steps to Reproduce Updated
2014-10-29 00:07 janmaco Steps to Reproduce Updated
2015-01-14 10:59 janmaco Note Added: 0005237
2015-01-14 11:17 janmaco Note Edited: 0005237
2015-01-20 23:29 janmaco Assigned To => janmaco
2015-01-20 23:29 janmaco Status new => fix available
2015-01-20 23:32 BenBE Assigned To janmaco => egal
2015-01-20 23:32 BenBE Status fix available => needs review & testing
2015-01-20 23:33 BenBE Reviewed by => BenBE
2015-01-20 23:33 BenBE Test Instructions => Try to sign a mail address with a plus sign in it.
2015-01-20 23:33 BenBE Target Version => 2015 Q1
2015-02-03 21:25 Eva Note Added: 0005305
2015-03-03 21:09 felixd Note Added: 0005342
2015-03-03 21:14 Eva Note Added: 0005345
2015-03-03 21:14 Eva Status needs review & testing => needs review
2015-10-20 20:14 BenBE Assigned To egal => Eva
2021-08-26 11:41 alkas Note Added: 0006080