+2006-11-18 Andreas Seltenreich <uwi7@rz.uni-karlsruhe.de>
+
+ * mm-uu.el (mm-uu-pgp-signed-extract-1): Make last fix more thorough
+ and comment it.
+
+ * nnslashdot.el (nnslashdot-retrieve-headers-1): Update regexp.
+
2006-11-15 Reiner Steib <Reiner.Steib@gmx.de>
* gnus-util.el (gnus-extract-address-components): Improve comment.
mm-security-handle 'gnus-details
(format "Clear verification not supported by `%s'.\n" mml2015-use))))
(goto-char (point-min))
- (if (re-search-forward "\n[\t ]*\n" nil t)
- (delete-region (point-min) (point)))
+ (forward-line)
+ ;; We need to be careful not to strip beyond the armor headers.
+ ;; Previously, an attacker could replace the text inside our
+ ;; markup with trailing garbage by injecting whitespace into the
+ ;; message.
+ (while (looking-at "Hash:") ; The only header allowed in cleartext
+ (forward-line)) ; signatures according to RFC2440.
+ (when (looking-at "[\t ]*$")
+ (forward-line))
+ (delete-region (point-min) (point))
(if (re-search-forward mm-uu-pgp-beginning-signature nil t)
(delete-region (match-beginning 0) (point-max)))
(goto-char (point-min))
(setq article (if (and article (< start article)) article start))
(goto-char point)
(while (re-search-forward
- "<a name=\"\\([0-9]+\\)\">\\([^<]+\\)</a>.*\n.*\n.*score:\\([^)]+\\))"
+ "<a name=\"\\([0-9]+\\)\">\\([^<]+\\)\\(?:.*\n\\)\\{2,10\\}.*score:\\([^)]+\\))"
nil t)
(setq cid (match-string 1)
subject (match-string 2)
projects / emacs.git / commitdiff