mirror of
https://github.com/pgpainless/pgpainless.git
synced 2024-11-23 04:42:06 +01:00
Introduce iteration limit to prevent resource exhaustion when reading signatures
This commit is contained in:
parent
073cf870d2
commit
c4618617f6
1 changed files with 18 additions and 1 deletions
|
@ -43,6 +43,8 @@ import org.pgpainless.util.ArmorUtils;
|
||||||
*/
|
*/
|
||||||
public final class SignatureUtils {
|
public final class SignatureUtils {
|
||||||
|
|
||||||
|
public static final int MAX_ITERATIONS = 10000;
|
||||||
|
|
||||||
private SignatureUtils() {
|
private SignatureUtils() {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -220,13 +222,28 @@ public final class SignatureUtils {
|
||||||
* @throws PGPException in case of an OpenPGP error
|
* @throws PGPException in case of an OpenPGP error
|
||||||
*/
|
*/
|
||||||
public static List<PGPSignature> readSignatures(InputStream inputStream) throws IOException, PGPException {
|
public static List<PGPSignature> readSignatures(InputStream inputStream) throws IOException, PGPException {
|
||||||
|
return readSignatures(inputStream, MAX_ITERATIONS);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Read and return {@link PGPSignature PGPSignatures}.
|
||||||
|
* This method can deal with signatures that may be armored, compressed and may contain marker packets.
|
||||||
|
*
|
||||||
|
* @param inputStream input stream
|
||||||
|
* @param maxIterations number of loop iterations until reading is aborted
|
||||||
|
* @return list of encountered signatures
|
||||||
|
* @throws IOException in case of a stream error
|
||||||
|
* @throws PGPException in case of an OpenPGP error
|
||||||
|
*/
|
||||||
|
public static List<PGPSignature> readSignatures(InputStream inputStream, int maxIterations) throws IOException, PGPException {
|
||||||
List<PGPSignature> signatures = new ArrayList<>();
|
List<PGPSignature> signatures = new ArrayList<>();
|
||||||
InputStream pgpIn = ArmorUtils.getDecoderStream(inputStream);
|
InputStream pgpIn = ArmorUtils.getDecoderStream(inputStream);
|
||||||
PGPObjectFactory objectFactory = new PGPObjectFactory(
|
PGPObjectFactory objectFactory = new PGPObjectFactory(
|
||||||
pgpIn, ImplementationFactory.getInstance().getKeyFingerprintCalculator());
|
pgpIn, ImplementationFactory.getInstance().getKeyFingerprintCalculator());
|
||||||
|
|
||||||
|
int i = 0;
|
||||||
Object nextObject;
|
Object nextObject;
|
||||||
while ((nextObject = objectFactory.nextObject()) != null) {
|
while (i++ < maxIterations && (nextObject = objectFactory.nextObject()) != null) {
|
||||||
if (nextObject instanceof PGPCompressedData) {
|
if (nextObject instanceof PGPCompressedData) {
|
||||||
PGPCompressedData compressedData = (PGPCompressedData) nextObject;
|
PGPCompressedData compressedData = (PGPCompressedData) nextObject;
|
||||||
objectFactory = new PGPObjectFactory(compressedData.getDataStream(),
|
objectFactory = new PGPObjectFactory(compressedData.getDataStream(),
|
||||||
|
|
Loading…
Reference in a new issue