Disroot
/
gpg-lacre
9
15
Fork 4
Code Issues 29 Pull Requests 1 Releases 2 Wiki Activity

Zaktualizuj 'SourceCodeAnalysis'

pfm 2021-04-27 19:54:55 +00:00
parent 9f4613ad2b
commit 9deb82f004
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
SourceCodeAnalysis.md

@ -24,3 +24,8 @@ A Python module wrapping calls to `/usr/bin/gpg` binary.
A web interface to upload public keys and optionally a keyserver.
* Each failed update of an existing key ends with all valid keys being deleted, which seems like an opportunity for an attacker to disable a person's mailbox encryption.
* There might be a vulnerability in key-confirmation code: `$email` and `$confirm` are not sanitised before being passed to the database.
* Key upload protocol is very simple:
1. An email address and a key is uploaded with HTTP POST.
3. Email asking for confirmation is sent to the email address given.
4. Confirmation is performed by sending a request with that email and a random string generated in the first step.