dodo icon indicating copy to clipboard operation
dodo copied to clipboard
Published 3 months ago verified publisher icon akissinger

Weird regex matching on UIDs for encryption

Open The-Compiler opened this issue 1 year ago • 1 comments

I just noticed:

https://github.com/akissinger/dodo/blob/503763c4d738af79ee0d761c47920e9a7b61855a/dodo/pgp_util.py#L69-L79

Where the any(re.search(addr, u) for u in k['uids'] for addr in recipients) strikes me as very odd.

  • Why is addr treated as a regex pattern here?
  • Why a fuzzy match at all, rather than running email.utils.getaddresses() on the UIDs again and matching on that? Right now, if I sent a mail to [email protected] but happened to have a key for [email protected] in my keyring, wouldn't eve be able to decrypt that message too?

cc @hbog

The-Compiler avatar Sep 12 '24 09:09 The-Compiler

Good point! Thank you for spotting this vulnerability and suggesting an elegant solution.

hbog avatar Oct 05 '24 08:10 hbog