> > [507ee45f25] <http://localhost:8080/info/507ee45f25> Fix an off-by-one > bug in the network protocol handler so that it can accept a zero-length > file. (*PGP SIGNED*) (user: > drh<http://localhost:8080/timeline?u=drh&c=2007-08-25+12%3A31%3A55&nd>, > tags: > trunk<http://localhost:8080/timeline?r=trunk&nd&c=2007-08-25+12%3A31%3A55> > ) 04:02 > [9b30224db7] <http://localhost:8080/info/9b30224db7> Closed-Leaf: Merging > formatting changes to timeline and concepts documentation (*PGP SIGNED*) > (user: aku<http://localhost:8080/timeline?u=aku&c=2007-08-25+04%3A02%3A27&nd>, > tags: > trunk<http://localhost:8080/timeline?r=trunk&nd&c=2007-08-25+04%3A02%3A27> > ) > > You should be careful how you render things like that. I think now a malicious user Mallory can easily subvert your scheme by appending the text " (*PGP SIGNED*)" to the end of his unsigned check-in comment. People will think he has signed the check-in when he really hasn't.
It gets worse if Mallory can masquerade as DRH during a check-in, and you are relying solely on PGP signatures for authentication. Then you will think that Mallory's code has DRH's blessing when it really does not. Mayhem will surely ensue. :-) This is analogous to a consideration given by the authors of Mutt (an emailer) in which by default they did not render ANSI color escape sequences in messages -- again because it could be used to subvert their PGP rendering scheme. See http://www.mutt.org/doc/manual/manual-6.html and search for "allow_ansi". You might be able to cure the issue by rendering the the indicator in a way that a user cannot affect directly. Eric
_______________________________________________ fossil-users mailing list fossil-users@lists.fossil-scm.org http://lists.fossil-scm.org:8080/cgi-bin/mailman/listinfo/fossil-users