"unsubscribe: prevent decrypt from showing random crap"

user/dev discussion of public-inbox itself
 help / color / mirror / code / Atom feed

Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download mbox.gz: |

* Merge branch 'unsubscribe'
  @ 2016-06-07 13:18  5% ` Eric Wong
  0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2016-06-07 13:18 UTC (permalink / raw)
  To: meta

commit 3f779258173530ca88f31e1dc5332f951d2c44cd
Merge: e2adc94 852df98
Author: Eric Wong <e@80x24.org>
Date:   Tue Jun 7 12:57:42 2016 +0000

    Merge branch 'unsubscribe'
    
    * unsubscribe:
      unsubscribe.milter: use default postfork dispatcher
      unsubscribe: prevent decrypt from showing random crap
      examples/unsubscribe-psgi@.service: disable worker processes
      unsubscribe: bad URL fixup
      unsubscribe: get off mah lawn^H^H^Hist

^ permalink raw reply	[relevance 5%]

* [PATCH 4/1] unsubscribe: prevent decrypt from showing random crap
  @ 2016-05-21  4:43  7% ` Eric Wong
  0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2016-05-21  4:43 UTC (permalink / raw)
  To: meta

Wow, I don't know crypto at all.
---
 Hopefully this isn't exploitable somehow... Gah :x

 lib/PublicInbox/Unsubscribe.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/PublicInbox/Unsubscribe.pm b/lib/PublicInbox/Unsubscribe.pm
index 4ccdb7e..97ff97f 100644
--- a/lib/PublicInbox/Unsubscribe.pm
+++ b/lib/PublicInbox/Unsubscribe.pm
@@ -77,7 +77,7 @@ sub _user_list_addr {
 			'Missing mailing list name in path component');
 	}
 	my $user = eval { $self->{cipher}->decrypt(decode_base64url($u)) };
-	if (!defined $user || $user eq '') {
+	if (!defined $user || index($user, '@') <= 1) {
 		my $err = quotemeta($@);
 		my $errors = $env->{'psgi.errors'};
 		$errors->print("error decrypting: $u\n");

^ permalink raw reply related	[relevance 7%]

Results 1-2 of 2 | reverse | options above

-- pct% links below jump to the message on this page, permalinks otherwise --
2016-05-20 21:36     [PATCH] unsubscribe: get off mah lawn^H^H^Hist Eric Wong
2016-06-07 13:18  5% ` Merge branch 'unsubscribe' Eric Wong
2016-05-21  3:03     [PATCH 0/2] http: start migrating to pull-based I/O Eric Wong
2016-05-21  4:43  7% ` [PATCH 4/1] unsubscribe: prevent decrypt from showing random crap Eric Wong
Code repositories for project(s) associated with this public inbox

	https://80x24.org/public-inbox.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).