Package: onak Version: 0.3.2-1.1 [output of reportbug at the end]
Some adventurous programmers I know are working on a system that uses
PGP certificate user ids in unusual ways. Some of the userids are
essentially URIs in this system. The system needed to talk to a local
keyserver, so we set one up using onak and mathopd, which was easy and
worked very well, but this led to us finding a minor little bug in onak.
When a remote client requests a lookup of a key to which are attached
user ids containing the ':' (colon) character, onak does not escape the
colon in its response, which results in the user seeing an incorrect
user id.
This would also affect normal user id comments and other strings in user
ids that might contain colons, even for user ids that are not URI-like.
DETAILS:
For example, if onak's data contains a key with the userid
ssh://example.org
attached, and a user issues the command:
# gpg --keyserver my.onak.example.org --search-keys example
The response comes back:
gpg: searching for "example" from hkp server my.onak.example.org
(1) ssh
2048 bit RSA key ADF1B2A9757DEC5F003051A265EDC684428B63AA,
created: 2008-06-20
where it should be:
gpg: searching for "example" from hkp server my.onak.example.org
(1) ssh://example.org
2048 bit RSA key ADF1B2A9757DEC5F003051A265EDC684428B63AA,
created: 2008-06-20
Everything after the colon was truncated in the response, which could be
a problem when distinguishing a key from another by looking at its user
id.
One can see the unescaped colon here in onak's response to a wget query:
# wget -q -O-
'http://my.onak.example.org:11371/pks/lookup?op=index&options=mr&search=example'
info:1:1
pub:ADF1B2A9757DEC5F003051A265EDC684428B63AA:1:2048:1213945978::
uid:ssh://example.org
Whereas from other keyservers the response would have been something
like
info:1:1
pub:ADF1B2A9757DEC5F003051A265EDC684428B63AA:1:2048:1213945978::
uid:ssh%3A//example.org
The above was confirmed by checking public keyservers known to be
running other keyserver software.
Presumably this affects other characters besides colon, but I have not
checked, and it might not be relevant, as colons seem to be used as
delimiters by the recipient (gpg in this case).
Thanks for listening, keep up the good work.
--mjgoins
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: powerpc (ppc)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-powerpc
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages onak depends on:
ii adduser 3.102 Add and remove users and
groups
ii libc6 2.3.6.ds1-13etch5 GNU C Library: Shared
libraries
ii libdb4.2 4.2.52+dfsg-2 Berkeley v4.2 Database
Libraries [
Versions of packages onak recommends:
ii mathopd [httpd] 1.5p5-1 Very small, yet very fast
signature.asc
Description: Digital signature
