Trust signatures with unbounded regular expressions
Werner Koch
wk at gnupg.org
Tue Feb 21 10:17:25 CET 2012
On Mon, 20 Feb 2012 01:10, s_buckhe at cs.uni-kl.de said:
> Hello,
>
> given a key, I would like to create a trust signature with a specific
> regular expression, say "-mail[12]\.example\.com$" in this exact form.
> That expression, and thus the signature, would match any domain name
> ending with -mail1.example.com or -mail2.example.com, including all
> email addresses attached to them. This is exactly what I want, but gnupg
> mangles the regular expression to match mail addresses or domains at or
> beneath the verbatim domain name -mail[12].example.com.
>
> Is there any way to create a trust signature with that exact regular
> expression with gnupg?
No. For security reasons we don't allow arbitrary REs anymore:
2007-12-12 David Shaw <dshaw at jabberwocky.com> (wk)
* trustdb.c (sanitize_regexp): New. Protect against dangerous
regexps (malloc bombs) by force-commenting any characters aside
from the ones we explicitly want.
(check_regexp): Use it here before passing the regexp to
regcomp().
See the comment in the sanitize_regexp function for more details.
Shalom-Salam,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
More information about the Gnupg-users
mailing list