[Python-modules-commits] [python-gnupg] 04/08: Avoid risky scan_keys() operation on modern GnuPG.

[Elena Grandi]

This is an automated email from the git hooks/post-receive script.

valhalla-guest pushed a commit to branch gpg2
in repository python-gnupg.

commit 7963728cccb72bbac3f9afdd5f9bc64f37549f19
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date:   Fri Feb 17 17:23:07 2017 -0500

    Avoid risky scan_keys() operation on modern GnuPG.
    
    Please see comments from Werner Koch at:
    
    https://bugs.gnupg.org/gnupg/issue2942
---
 gnupg.py | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/gnupg.py b/gnupg.py
index 9090599..137a6b0 100644
--- a/gnupg.py
+++ b/gnupg.py
@@ -1163,10 +1163,19 @@ class GPG(object):
         List details of an ascii armored or binary key file
         without first importing it to the local keyring.
 
-        The function achieves this by running:
+        The function achieves this on modern GnuPG by running:
+
+        $ gpg --dry-run --import-options import-show --import
+
+        On older versions, it does the *much* riskier:
+
         $ gpg --with-fingerprint --with-colons filename
         """
-        args = ['--with-fingerprint', '--with-colons']
+        if self.version >= (2, 1, 14):
+            args = ['--dry-run', '--import-options', 'import-show', '--import']
+        else:
+            logger.warning('Warning! trying to list packets, but if the file is not a keyring, might accidentally decrypt')
+            args = ['--with-fingerprint']
         args.append(no_quote(filename))
         p = self._open_subprocess(args)
         return self._get_list_output(p, 'scan')

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-gnupg.git