[Python-modules-commits] [python-gnupg] 04/08: Avoid risky scan_keys() operation on modern GnuPG.
Elena Grandi
valhalla-guest at moszumanska.debian.org
Sat Apr 8 06:44:43 UTC 2017
This is an automated email from the git hooks/post-receive script.
valhalla-guest pushed a commit to branch gpg2
in repository python-gnupg.
commit 7963728cccb72bbac3f9afdd5f9bc64f37549f19
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Fri Feb 17 17:23:07 2017 -0500
Avoid risky scan_keys() operation on modern GnuPG.
Please see comments from Werner Koch at:
https://bugs.gnupg.org/gnupg/issue2942
---
gnupg.py | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/gnupg.py b/gnupg.py
index 9090599..137a6b0 100644
--- a/gnupg.py
+++ b/gnupg.py
@@ -1163,10 +1163,19 @@ class GPG(object):
List details of an ascii armored or binary key file
without first importing it to the local keyring.
- The function achieves this by running:
+ The function achieves this on modern GnuPG by running:
+
+ $ gpg --dry-run --import-options import-show --import
+
+ On older versions, it does the *much* riskier:
+
$ gpg --with-fingerprint --with-colons filename
"""
- args = ['--with-fingerprint', '--with-colons']
+ if self.version >= (2, 1, 14):
+ args = ['--dry-run', '--import-options', 'import-show', '--import']
+ else:
+ logger.warning('Warning! trying to list packets, but if the file is not a keyring, might accidentally decrypt')
+ args = ['--with-fingerprint']
args.append(no_quote(filename))
p = self._open_subprocess(args)
return self._get_list_output(p, 'scan')
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-gnupg.git
More information about the Python-modules-commits
mailing list