From 6171e8faeca539b2746ee9e251a6781d501465aa Mon Sep 17 00:00:00 2001 From: Michael M Slusarz Date: Tue, 3 Mar 2009 14:22:49 -0700 Subject: [PATCH] SECURITY: Don't cache local addressbook PGP public key results --- imp/docs/CHANGES | 2 ++ imp/lib/Crypt/Pgp.php | 16 +++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/imp/docs/CHANGES b/imp/docs/CHANGES index 06f22dbd5..838ada938 100644 --- a/imp/docs/CHANGES +++ b/imp/docs/CHANGES @@ -57,6 +57,8 @@ v5.0-git v4.3.4-cvs ---------- +[mms] SECURITY: Don't cache local PGP public keys retrieved from the + addressbook (found by Peter Meier ). [jan] If updating a calendar event fails, try to import it instead (Bug #7589). [mms] Fix [un]escaping of various URLs on message screen caused by security fixes in v4.3.3 (Bug #7926). diff --git a/imp/lib/Crypt/Pgp.php b/imp/lib/Crypt/Pgp.php index fba601469..106b0c62d 100644 --- a/imp/lib/Crypt/Pgp.php +++ b/imp/lib/Crypt/Pgp.php @@ -189,7 +189,15 @@ class IMP_Crypt_Pgp extends Horde_Crypt_Pgp /* Try retrieving via a PGP public keyserver. */ if ($server && is_a($result, 'PEAR_Error')) { - $result = $this->getFromPublicKeyserver($fingerprint, $address); + try { + $result = $this->getFromPublicKeyserver($fingerprint, $address); + + /* If there is a cache driver configured and a cache object + * exists, store the retrieved public key in the cache. */ + if (is_object($cache)) { + $cache->set("PGPpublicKey_" . $address . $fingerprint, $result, 3600); + } + } catch (Horde_Exception $e) {} } /* Return now, if no public key found at all. */ @@ -204,12 +212,6 @@ class IMP_Crypt_Pgp extends Horde_Crypt_Pgp reset($result); } - /* If there is a cache driver configured and a cache object exists, - * store the public key in the cache. */ - if (is_object($cache)) { - $cache->set("PGPpublicKey_" . $address . $fingerprint, $result, 3600); - } - return $result; } -- 2.11.0