From 2e7eadbc1e7204a42839a551418c8f8044fcd0cc Mon Sep 17 00:00:00 2001
From: David Shaw <dshaw@jabberwocky.com>
Date: Wed, 12 Dec 2007 16:38:23 +0000
Subject: [PATCH] * trustdb.c (sanitize_regexp): New.  Protect against
 dangerous regexps (malloc bombs) by force-commenting any characters aside
 from the ones we explicitly want.  (check_regexp): Use it here before passing
 the regexp to regcomp().

---
 g10/ChangeLog |  8 +++++
 g10/trustdb.c | 97 +++++++++++++++++++++++++++++++++++++++++++++------
 2 files changed, 94 insertions(+), 11 deletions(-)

diff --git a/g10/ChangeLog b/g10/ChangeLog
index a4a772a4f..ff4281df0 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,11 @@
+2007-12-12  David Shaw  <dshaw@jabberwocky.com>
+
+	* trustdb.c (sanitize_regexp): New.  Protect against dangerous
+	regexps (malloc bombs) by force-commenting any characters aside
+	from the ones we explicitly want.
+	(check_regexp): Use it here before passing the regexp to
+	regcomp().
+
 2007-12-11  Werner Koch  <wk@g10code.com>
 
 	* mainproc.c (proc_pubkey_enc): Allow type 20 Elgamal key for
diff --git a/g10/trustdb.c b/g10/trustdb.c
index 9e0a3ada9..10f82ef97 100644
--- a/g10/trustdb.c
+++ b/g10/trustdb.c
@@ -1,6 +1,6 @@
 /* trustdb.c
- * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004,
- *               2005 Free Software Foundation, Inc.
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006,
+ *               2007 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -1749,6 +1749,69 @@ clean_key(KBNODE keyblock,int noisy,int self_only,
 		    uids_cleaned,sigs_cleaned);
 }
 
+/* Returns a sanitized copy of the regexp (which might be "", but not
+   NULL). */
+static char *
+sanitize_regexp(const char *old)
+{
+  size_t start=0,len=strlen(old),idx=0;
+  int escaped=0,standard_bracket=0;
+  char *new=xmalloc((len*2)+1); /* enough to \-escape everything if we
+				   have to */
+
+  /* There are basically two commonly-used regexps here.  GPG and most
+     versions of PGP use "<[^>]+[@.]example\.com>$" and PGP (9)
+     command line uses "example.com" (i.e. whatever the user specfies,
+     and we can't expect users know to use "\." instead of ".").  So
+     here are the rules: we're allowed to start with "<[^>]+[@.]" and
+     end with ">$" or start and end with nothing.  In between, the
+     only legal regex character is ".", and everything else gets
+     escaped.  Part of the gotcha here is that some regex packages
+     allow more than RFC-4880 requires.  For example, 4880 has no "{}"
+     operator, but GNU regex does.  Commenting removes these operators
+     from consideration.  A possible future enhancement is to use
+     commenting to effectively back off a given regex to the Henry
+     Spencer syntax in 4880. -dshaw */
+
+  /* Are we bracketed between "<[^>]+[@.]" and ">$" ? */
+  if(len>=12 && strncmp(old,"<[^>]+[@.]",10)==0
+     && old[len-2]=='>' && old[len-1]=='$')
+    {
+      strcpy(new,"<[^>]+[@.]");
+      idx=strlen(new);
+      standard_bracket=1;
+      start+=10;
+      len-=2;
+    }
+
+  /* Walk the remaining characters and ensure that everything that is
+     left is not an operational regex character. */
+  for(;start<len;start++)
+    {
+      if(!escaped && old[start]=='\\')
+	escaped=1;
+      else if(!escaped && old[start]!='.')
+	new[idx++]='\\';
+      else
+	escaped=0;
+
+      new[idx++]=old[start];
+    }
+
+  new[idx]='\0';
+
+  /* Note that the (sub)string we look at might end with a bare "\".
+     If it does, leave it that way.  If the regexp actually ended with
+     ">$", then it was escaping the ">" and is fine.  If the regexp
+     actually ended with the bare "\", then it's an illegal regexp and
+     regcomp should kick it out. */
+
+  if(standard_bracket)
+    strcat(new,">$");
+
+  return new;
+}
+
 /* Used by validate_one_keyblock to confirm a regexp within a trust
    signature.  Returns 1 for match, and 0 for no match or regex
    error. */
@@ -1759,23 +1822,35 @@ check_regexp(const char *expr,const char *string)
   /* When DISABLE_REGEX is defined, assume all regexps do not
      match. */
   return 0;
-#elif defined(__riscos__)
-  return riscos_check_regexp(expr, string, DBG_TRUST);
 #else
   int ret;
-  regex_t pat;
+  char *regexp;
 
-  if(regcomp(&pat,expr,REG_ICASE|REG_NOSUB|REG_EXTENDED)!=0)
-    return 0;
+  regexp=sanitize_regexp(expr);
 
-  ret=regexec(&pat,string,0,NULL,0);
+#ifdef __riscos__
+  ret=riscos_check_regexp(expr, string, DBG_TRUST);
+#else
+  {
+    regex_t pat;
 
-  regfree(&pat);
+    ret=regcomp(&pat,regexp,REG_ICASE|REG_NOSUB|REG_EXTENDED);
+    if(ret==0)
+      {
+	ret=regexec(&pat,string,0,NULL,0);
+	regfree(&pat);
+	ret=(ret==0);
+      }
+  }
+#endif
 
   if(DBG_TRUST)
-    log_debug("regexp `%s' on `%s': %s\n",expr,string,ret==0?"YES":"NO");
+    log_debug("regexp `%s' (`%s') on `%s': %s\n",
+	      regexp,expr,string,ret==0?"YES":"NO");
 
-  return (ret==0);
+  xfree(regexp);
+
+  return ret;
 #endif
 }