Bug#565981: debbugs: Debbugs::MIME::parse doesn't handle PGP Signed messages with \r correctly

[Don Armstrong <don@donarmstrong.com>]

On Wed, 20 Jan 2010, Mike Hommey wrote:
> On Wed, Jan 20, 2010 at 10:19:17AM -0800, Don Armstrong wrote:
> > On Wed, 20 Jan 2010, Mike Hommey wrote:
> > > #532828 is an example of a bug with a PGP signed report message with
> > > \r. Debbugs::MIME::parse doesn't handle this case correctly, leading
> > > to the returned message being empty after it strips off
> > > RFC2440-style PGP clearsigning.
> > > 
> > >      # Strip off RFC2440-style PGP clearsigning.
> > >      if (@bodylines and $bodylines[0] =~ /^-----BEGIN PGP SIGNED/) {
> > > -	shift @bodylines while @bodylines and length $bodylines[0];
> > > +	shift @bodylines while @bodylines and $bodylines[0] =~ /\S/;
> > 
> > This is too broad. It should be:
> >               and length $bodylines[0] and $bodylines[0] ne qq(\r);
> 
> Isn't that going to miss the "normal" case, where there aren't any \r ?

Nah, because it'll bail out at the point when length $bodylines[0] is
0. The problem is when there is a \r, we strip off the \n, but the \r
sticks around, so length $bodylines[0] is always >=1, and we never
stop shift-ing. [An alternative is that the code should be striping
off both the \r and the \n, but I have to look at that code and the
RFCs again to be certain.]


Don Armstrong

-- 
You could say to the Universe this is not /fair/. And the Universe
would say: Oh it isn't? Sorry.
 -- Terry Pratchett _Soul Music_ p357

http://www.donarmstrong.com              http://rzlab.ucr.edu