PGPainless/pgpainless
PGPainless/pgpainless
1
0
Fork 0
mirror of https://github.com/pgpainless/pgpainless.git synced 2024-11-26 06:12:06 +01:00
Code Issues Releases Wiki Activity

Add comment about readSignatures skipping compressed data packets

Browse source
This commit is contained in:
Paul Schaub 2022-05-08 11:34:56 +02:00
parent 12e62d381c
commit 8fd67da973
Signed by: vanitasvitae
GPG key ID: 62BEE9264BF17311
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
pgpainless-core/src/main/java/org/pgpainless/signature/SignatureUtils.java
View file

@ -249,8 +249,13 @@ public final class SignatureUtils {
int i = 0; int i = 0;
Object nextObject; Object nextObject;
while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) { while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) {
// Since signatures are indistinguishable from randomness, there is no point in having them compressed,
// except for an attacker who is trying to exploit flaws in the decompression algorithm.
// Therefore, we ignore compressed data packets without attempting decompression.
if (nextObject instanceof PGPCompressedData) { if (nextObject instanceof PGPCompressedData) {
PGPCompressedData compressedData = (PGPCompressedData) nextObject; PGPCompressedData compressedData = (PGPCompressedData) nextObject;
// getInputStream() does not do decompression, contrary to getDataStream().
Streams.drain(compressedData.getInputStream()); // Skip packet without decompressing Streams.drain(compressedData.getInputStream()); // Skip packet without decompressing
} }