From: Michael M Slusarz Date: Tue, 3 Mar 2009 21:22:49 +0000 (-0700) Subject: SECURITY: Don't cache local addressbook PGP public key results X-Git-Url: https://git.internetallee.de/?a=commitdiff_plain;h=6171e8faeca539b2746ee9e251a6781d501465aa;p=horde.git SECURITY: Don't cache local addressbook PGP public key results --- diff --git a/imp/docs/CHANGES b/imp/docs/CHANGES index 06f22dbd5..838ada938 100644 --- a/imp/docs/CHANGES +++ b/imp/docs/CHANGES @@ -57,6 +57,8 @@ v5.0-git v4.3.4-cvs ---------- +[mms] SECURITY: Don't cache local PGP public keys retrieved from the + addressbook (found by Peter Meier ). [jan] If updating a calendar event fails, try to import it instead (Bug #7589). [mms] Fix [un]escaping of various URLs on message screen caused by security fixes in v4.3.3 (Bug #7926). diff --git a/imp/lib/Crypt/Pgp.php b/imp/lib/Crypt/Pgp.php index fba601469..106b0c62d 100644 --- a/imp/lib/Crypt/Pgp.php +++ b/imp/lib/Crypt/Pgp.php @@ -189,7 +189,15 @@ class IMP_Crypt_Pgp extends Horde_Crypt_Pgp /* Try retrieving via a PGP public keyserver. */ if ($server && is_a($result, 'PEAR_Error')) { - $result = $this->getFromPublicKeyserver($fingerprint, $address); + try { + $result = $this->getFromPublicKeyserver($fingerprint, $address); + + /* If there is a cache driver configured and a cache object + * exists, store the retrieved public key in the cache. */ + if (is_object($cache)) { + $cache->set("PGPpublicKey_" . $address . $fingerprint, $result, 3600); + } + } catch (Horde_Exception $e) {} } /* Return now, if no public key found at all. */ @@ -204,12 +212,6 @@ class IMP_Crypt_Pgp extends Horde_Crypt_Pgp reset($result); } - /* If there is a cache driver configured and a cache object exists, - * store the public key in the cache. */ - if (is_object($cache)) { - $cache->set("PGPpublicKey_" . $address . $fingerprint, $result, 3600); - } - return $result; }