[tor-bugs] #30480 [Applications/rbm]: rbm should check that a signed tag object contains the expected tag name

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue May 21 13:03:40 UTC 2019


#30480: rbm should check that a signed tag object contains the expected tag name
----------------------------------+--------------------------------
 Reporter:  boklm                 |          Owner:  boklm
     Type:  task                  |         Status:  needs_revision
 Priority:  Medium                |      Milestone:
Component:  Applications/rbm      |        Version:
 Severity:  Normal                |     Resolution:
 Keywords:  TorBrowserTeam201905  |  Actual Points:
Parent ID:                        |         Points:
 Reviewer:                        |        Sponsor:
----------------------------------+--------------------------------
Changes (by gk):

 * status:  needs_review => needs_revision
 * keywords:  TorBrowserTeam201905R => TorBrowserTeam201905


Comment:

 I guess
 {{{
 +        return $1 if $l =~ m/^tag (.*)$/;
 }}}
 is assuming that the first such line showing up is the one we want and an
 attacker can't get to enter fake tag lines (like they can do with a commit
 message) before that? If so, could we add a comment here?

 s/helping fix/helping to fix/

 Otherwise this looks good to me.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30480#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list