friendica / red

The Red Matrix
MIT License
214 stars 50 forks source link

Trimming the body can break item signatures #894

Closed solstag closed 9 years ago

solstag commented 9 years ago

In include/items.php, within functions item_store and item_store_update, around lines 1951 and 2454 respectively, we define the body of the item to be stored as trim($arr['body']).

This has the potential to break signature checking if one receives a post that was not trimmed at the origin.

It is usually not a problem for public posts since those usually get signed in item_store after being trimmed.

It is also usually not a problem for private posts, even though they get singed in mod/item.php:item_post, because they get obscured before being signed. Indeed, the issue hit me in the head because I needed to stop obscuring my posts.

In any case, trimming behavior may vary in other implementations, and we should preserve whatever we get as body since it's the only thing we can verify against the signature.

Besides, trimming breaks ASCII-ART.

I fixed it for myself with a very simple patch for which I'll soon place a pull.

ghost commented 9 years ago

This issue was moved to redmatrix/redmatrix#180