From 26d5a6e862c68bf7355ade48e036732fb52561e9 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 23 Jun 2022 09:57:26 +0900
Subject: [PATCH] agent: KEYATTR only allows access to attribute.

* agent/command.c (cmd_keyattr): Check the ATTRNAME.

--

GnuPG-bug-id: 5988
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
 agent/command.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/agent/command.c b/agent/command.c
index 3c17a53ad..7f42b9979 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -1229,6 +1229,14 @@ cmd_keyattr (assuan_context_t ctx, char *line)
       goto leave;
     }
 
+  if (!strcmp (argv[1], "Key:") /* It allows only access to attribute */
+      /* Make sure ATTRNAME ends with colon.  */
+      || argv[1][strlen (argv[1]) - 1] != ':')
+    {
+      err = gpg_error (GPG_ERR_INV_PARAMETER);
+      goto leave;
+    }
+
   err = parse_keygrip (ctx, argv[0], grip);
   if (err)
     goto leave;