In include/items.php, within functions item_store and item_store_update, around lines 1951 and 2454 respectively, we define the body of the item to be stored as trim($arr['body']).
This has the potential to break signature checking if one receives a post that was not trimmed at the origin.
It is usually not a problem for public posts since those usually get signed in item_store after being trimmed.
It is also usually not a problem for private posts, even though they get singed in mod/item.php:item_post, because they get obscured before being signed. Indeed, the issue hit me in the head because I needed to stop obscuring my posts.
In any case, trimming behavior may vary in other implementations, and we should preserve whatever we get as body since it's the only thing we can verify against the signature.
Besides, trimming breaks ASCII-ART.
I fixed it for myself with a very simple patch for which I'll soon place a pull.
In include/items.php, within functions item_store and item_store_update, around lines 1951 and 2454 respectively, we define the body of the item to be stored as
trim($arr['body'])
.This has the potential to break signature checking if one receives a post that was not trimmed at the origin.
It is usually not a problem for public posts since those usually get signed in item_store after being trimmed.
It is also usually not a problem for private posts, even though they get singed in
mod/item.php:item_post
, because they get obscured before being signed. Indeed, the issue hit me in the head because I needed to stop obscuring my posts.In any case, trimming behavior may vary in other implementations, and we should preserve whatever we get as body since it's the only thing we can verify against the signature.
Besides, trimming breaks ASCII-ART.
I fixed it for myself with a very simple patch for which I'll soon place a pull.