[tor-commits] [bridgedb/develop] Don't interpret quoted text as commands.

phw at torproject.org phw at torproject.org
Mon Aug 26 21:51:37 UTC 2019


commit 4a0586767f08a3b4ee83b7805fd3cfcf531c245d
Author: Philipp Winter <phw at nymity.ch>
Date:   Mon Aug 19 17:05:52 2019 -0700

    Don't interpret quoted text as commands.
    
    BridgeDB gets confused when users reply to a "get help" email.  The
    issue is that BridgeDB interprets commands anywhere in the email body,
    even if it's in quoted text.
    
    To fix this issue, we are ignoring commands whose email body line starts
    with a '>' character, which is typically used for email quotes.
    
    This fixes <https://bugs.torproject.org/17626>.
---
 CHANGELOG                              |  9 +++++++++
 bridgedb/distributors/email/request.py | 21 +++++++++++++++------
 2 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index aba6d19..c3073ef 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,12 @@
+Changes in version 0.8.1 -
+
+        * FIXES https://bugs.torproject.org/17626
+        BridgeDB gets confused when users reply to a "get help" email.  The
+        issue is that BridgeDB interprets commands anywhere in the email body,
+        even if it's in quoted text.  To fix this issue, we are ignoring
+        commands whose email body line starts with a '>' character, which is
+        typically used for email quotes.
+
 Changes in version 0.8.0 - 2019-08-20
 
         * FIXES https://bugs.torproject.org/9316
diff --git a/bridgedb/distributors/email/request.py b/bridgedb/distributors/email/request.py
index a490e56..83c203d 100644
--- a/bridgedb/distributors/email/request.py
+++ b/bridgedb/distributors/email/request.py
@@ -58,6 +58,15 @@ TRANSPORT_PATTERN = re.compile(TRANSPORT_REGEXP)
 UNBLOCKED_REGEXP = ".*unblocked ([a-z]{2,4})"
 UNBLOCKED_PATTERN = re.compile(UNBLOCKED_REGEXP)
 
+#: Regular expressions that we use to match for email commands.  Any command is
+#: valid as long as it wasn't quoted, i.e., the line didn't start with a '>'
+#: character.
+HELP_LINE      = re.compile("([^>].*)?h[ae]lp")
+GET_LINE       = re.compile("([^>].*)?get")
+KEY_LINE       = re.compile("([^>].*)?key")
+IPV6_LINE      = re.compile("([^>].*)?ipv6")
+TRANSPORT_LINE = re.compile("([^>].*)?transport")
+UNBLOCKED_LINE = re.compile("([^>].*)?unblocked")
 
 def determineBridgeRequestOptions(lines):
     """Figure out which :mod:`~bridgedb.filters` to apply, or offer help.
@@ -83,20 +92,20 @@ def determineBridgeRequestOptions(lines):
         if not line: skippedHeaders = True
         if not skippedHeaders: continue
 
-        if ("help" in line) or ("halp" in line):
+        if HELP_LINE.match(line) is not None:
             raise EmailRequestedHelp("Client requested help.")
 
-        if "get" in line:
+        if GET_LINE.match(line) is not None:
             request.isValid(True)
             logging.debug("Email request was valid.")
-        if "key" in line:
+        if KEY_LINE.match(line) is not None:
             request.wantsKey(True)
             raise EmailRequestedKey("Email requested a copy of our GnuPG key.")
-        if "ipv6" in line:
+        if IPV6_LINE.match(line) is not None:
             request.withIPv6()
-        if "transport" in line:
+        if TRANSPORT_LINE.match(line) is not None:
             request.withPluggableTransportType(line)
-        if "unblocked" in line:
+        if UNBLOCKED_LINE.match(line) is not None:
             request.withoutBlockInCountry(line)
 
     logging.debug("Generating hashring filters for request.")





More information about the tor-commits mailing list