SECURITY: Don't cache local addressbook PGP public key results

diff --git a/imp/docs/CHANGES b/imp/docs/CHANGES
index 06f22db..838ada9 100644 (file)
--- a/imp/docs/CHANGES
+++ b/imp/docs/CHANGES
@@ -57,6 +57,8 @@ v5.0-git
 v4.3.4-cvs
 ----------
 
+[mms] SECURITY: Don't cache local PGP public keys retrieved from the
+      addressbook (found by Peter Meier <peter.meier@immerda.ch>).
 [jan] If updating a calendar event fails, try to import it instead (Bug #7589).
 [mms] Fix [un]escaping of various URLs on message screen caused by security
       fixes in v4.3.3 (Bug #7926).

diff --git a/imp/lib/Crypt/Pgp.php b/imp/lib/Crypt/Pgp.php
index fba6014..106b0c6 100644 (file)
--- a/imp/lib/Crypt/Pgp.php
+++ b/imp/lib/Crypt/Pgp.php
@@ -189,7 +189,15 @@ class IMP_Crypt_Pgp extends Horde_Crypt_Pgp
 
         /* Try retrieving via a PGP public keyserver. */
         if ($server && is_a($result, 'PEAR_Error')) {
-            $result = $this->getFromPublicKeyserver($fingerprint, $address);
+            try {
+                $result = $this->getFromPublicKeyserver($fingerprint, $address);
+
+                /* If there is a cache driver configured and a cache object
+                 * exists, store the retrieved public key in the cache. */
+                if (is_object($cache)) {
+                    $cache->set("PGPpublicKey_" . $address . $fingerprint, $result, 3600);
+                }
+            } catch (Horde_Exception $e) {}
         }
 
         /* Return now, if no public key found at all. */
@@ -204,12 +212,6 @@ class IMP_Crypt_Pgp extends Horde_Crypt_Pgp
             reset($result);
         }
 
-        /* If there is a cache driver configured and a cache object exists,
-         * store the public key in the cache. */
-        if (is_object($cache)) {
-            $cache->set("PGPpublicKey_" . $address . $fingerprint, $result, 3600);
-        }
-
         return $result;
     }