Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#112 Verification succeeds for invalid "l=" value

v2.5.3
closed-fixed
5
2014-08-19
2008-04-14
M T
No

A message with a body length (l=) value that is greater than the total length of the body should fail verification, according to the spec:
"This value MUST NOT be larger than the actual number of octets in the canonicalized message body."

Verification for such a message succeeds with current version(v2.5.3).

Discussion

  • Proposed patch #1

     
    Attachments
  • Logged In: YES
    user_id=1048957
    Originator: NO

    Try the attached patch.
    File Added: PATCH

     
    • labels: --> Functionality
    • assigned_to: nobody --> sm-msk
    • milestone: --> v2.5.3
     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    I took the following steps to verify:

    - run your header through our filter with debugging set such that canonicalizations are
    left behind in /var/tmp
    - split your attached message into two parts, headers and body
    - add CRs to the end of each line in the headers (which happens in normal SMTP)
    - move the signature header lines to the end, per header canonicalization procedure

    ...then the canonicalized header and the header file thus produced are identical.

    It appears to me the signature is not valid.

     
    • status: open --> pending
     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    Disregard previous comment; it was intended for another bug.

     
    • status: pending --> open
     
  • Logged In: YES
    user_id=1048957
    Originator: NO

    v2.5.4 released, including this patch.

     
    • status: open --> closed-fixed