[PATCH 5/5] gpg: Fix regexp sanitization.

Damien Goutte-Gattat dgouttegattat at incenp.org
Wed Jul 19 11:33:04 CEST 2017


* g10/trustdb.c (sanitize_regexp): Do not escape normal characters.
--

The current sanitization code escapes ALL characters in the
regular expression, including characters that do not have any
special meaning and only match themselves. Only the dot (.)
is not escaped.

This leads to, e.g., 'example.com' being sanitized into
'\e\x\a\m\p\l\e.\c\o\m', which will then fail to match against
'alice at example.com'.

This patch updates the function to escape only the meaningful
characters (minus the dot).

GnuPG-bug-id: 2923
Signed-off-by: Damien Goutte-Gattat <dgouttegattat at incenp.org>
---
 g10/trustdb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/g10/trustdb.c b/g10/trustdb.c
index e2c3bda..080f2f3 100644
--- a/g10/trustdb.c
+++ b/g10/trustdb.c
@@ -1541,7 +1541,7 @@ sanitize_regexp(const char *old)
     {
       if(!escaped && old[start]=='\\')
 	escaped=1;
-      else if(!escaped && old[start]!='.')
+      else if(!escaped && strchr("[]$^()|*+?{}", old[start]))
 	new[idx++]='\\';
       else
 	escaped=0;
-- 
2.9.0




More information about the Gnupg-devel mailing list