Zaktualizuj 'SourceCodeAnalysis'
parent
9f4613ad2b
commit
9deb82f004
|
@ -24,3 +24,8 @@ A Python module wrapping calls to `/usr/bin/gpg` binary.
|
|||
A web interface to upload public keys and optionally a keyserver.
|
||||
|
||||
* Each failed update of an existing key ends with all valid keys being deleted, which seems like an opportunity for an attacker to disable a person's mailbox encryption.
|
||||
* There might be a vulnerability in key-confirmation code: `$email` and `$confirm` are not sanitised before being passed to the database.
|
||||
* Key upload protocol is very simple:
|
||||
1. An email address and a key is uploaded with HTTP POST.
|
||||
3. Email asking for confirmation is sent to the email address given.
|
||||
4. Confirmation is performed by sending a request with that email and a random string generated in the first step.
|
||||
|
|
Loading…
Reference in New Issue