[PATCH 5/5] gpg: Fix regexp sanitization.

John O'Meara john.fr.omeara at gmail.com
Wed Jul 19 14:55:34 CEST 2017 

Quoth Justus Winter <justus at g10code.com> on Wed, 19 Jul 2017 13:22:29 +0200:

> Damien Goutte-Gattat <dgouttegattat at incenp.org> writes:
> 
>> This patch updates the function to escape only the meaningful
>> characters (minus the dot).
> 
> I'm not convinced that this patch is correct.  I'm not convinced that we
> should attempt any kind of sanitization at all.  This happens right
> before the expression is fed to the regex engine.  I could somehow
> understand that we do sanitization or try to suggest improvements when
> users enter an expression, but not when interpreting expressions found
> in keys.
> 
> Imagine I have for some reason the expression 'foo.*\.org' in a trust
> signature, because I only want to match organisations starting with foo.
> RFC4880 seems to allow that aiui.  Your patch breaks that, but so does
> sanitize_regexp as it is now.
> 
> 
> I don't see how and why we should do any sane sanitization at all.
> 
> Discuss!

As I see it, the problem is that the OpenPGP regex dialect
(from RFC4880) is different than the one that POSIX uses. I
can see 3 options for dealing with the difference:

 1: Implement the RFC4880 dialect ourselves. This seems
    error prone and a 'reinvention of the wheel'.

 2: Utilize the regex implementation specified in RFC4880. I
    presume this wasn't done due to license incompatibility
    (but I don't actually know).

 3: Convert from RFC4880 regex dialect to POSIX dialect and
    then feed the result to the POSIX engine.
    
The latter is what I attempted in my January patch, and for
the purpose of covering cases like the 'foo.*\.org' case you
mention. For my own purposes, I needed to select 2 domains,
so I needed something like '(domA|domB)\.com', which my
patch also covered. (However, I didn't have any coded tests
for it)

I think option 2 would be the best, if possible, because
then there shouldn't be any weird corner cases to worry
about.

I am happy in the short term for Damien's patches, since
they provide the testing foundation and the sanitation
update at least allows simple trust signatures to work now.

-- 
John O'Meara

More information about the Gnupg-devel mailing list