Don't passthrough 'Content-Type: multipart/signed' header

Message ID 20181104142704.31105-1-stephen@that.guru
State Accepted
Headers show
Series
  • Don't passthrough 'Content-Type: multipart/signed' header
Related show

Commit Message

Stephen Finucane Nov. 4, 2018, 2:27 p.m.
We don't GPG signatures, therefore this header is incorrect. Stop
passing it through.

Test for the other dropped header are also included.

Signed-off-by: Stephen Finucane <stephen@that.guru>
Cc: Veronika Kabatova <vkabatov@redhat.com>
Closes: #221
---
 patchwork/tests/test_mboxviews.py | 15 +++++++++++++++
 patchwork/views/utils.py          |  6 ++++++
 2 files changed, 21 insertions(+)

Comments

Veronika Kabatova Nov. 12, 2018, 12:33 p.m. | #1
----- Original Message -----
> From: "Stephen Finucane" <stephen@that.guru>
> To: patchwork@lists.ozlabs.org
> Cc: "Stephen Finucane" <stephen@that.guru>, "Veronika Kabatova" <vkabatov@redhat.com>
> Sent: Sunday, November 4, 2018 3:27:04 PM
> Subject: [PATCH] Don't passthrough 'Content-Type: multipart/signed' header
> 
> We don't GPG signatures, therefore this header is incorrect. Stop
> passing it through.
> 
> Test for the other dropped header are also included.
> 
> Signed-off-by: Stephen Finucane <stephen@that.guru>
> Cc: Veronika Kabatova <vkabatov@redhat.com>
> Closes: #221
> ---
>  patchwork/tests/test_mboxviews.py | 15 +++++++++++++++
>  patchwork/views/utils.py          |  6 ++++++
>  2 files changed, 21 insertions(+)
> 
> diff --git a/patchwork/tests/test_mboxviews.py
> b/patchwork/tests/test_mboxviews.py
> index 50444d65..87c75eca 100644
> --- a/patchwork/tests/test_mboxviews.py
> +++ b/patchwork/tests/test_mboxviews.py
> @@ -111,6 +111,21 @@ class MboxHeaderTest(TestCase):
>          header = 'List-Id: Patchwork development
>          <patchwork.lists.ozlabs.org>'
>          self._test_header_passthrough(header)
>  
> +    def _test_header_dropped(self, header):
> +        patch = create_patch(headers=header + '\n')
> +        response = self.client.get(reverse('patch-mbox', args=[patch.id]))
> +        self.assertNotContains(response, header)
> +
> +    def test_header_dropped_content_transfer_encoding(self):
> +        """Validate dropping of 'Content-Transfer-Encoding' header."""
> +        header = 'Content-Transfer-Encoding: quoted-printable'
> +        self._test_header_dropped(header)
> +
> +    def test_header_dropped_content_type_multipart_signed(self):
> +        """Validate dropping of 'Content-Type=multipart/signed' header."""
> +        header = 'Content-Type: multipart/signed'
> +        self._test_header_dropped(header)
> +
>      def test_patchwork_id_header(self):
>          """Validate inclusion of generated 'X-Patchwork-Id' header."""
>          patch = create_patch()
> diff --git a/patchwork/views/utils.py b/patchwork/views/utils.py
> index 3c5d2982..1da1aaab 100644
> --- a/patchwork/views/utils.py
> +++ b/patchwork/views/utils.py
> @@ -84,8 +84,14 @@ def _submission_to_mbox(submission):
>  
>      orig_headers = HeaderParser().parsestr(str(submission.headers))
>      for key, val in orig_headers.items():
> +        # we set this ourselves
>          if key == 'Content-Transfer-Encoding':
>              continue
> +        # we don't save GPG signatures described in RFC1847 [1] so this
> +        # Content-Type value is invalid
> +        # [1] https://tools.ietf.org/html/rfc1847
> +        if key == 'Content-Type' and val == 'multipart/signed':
> +            continue
>          mail[key] = val
>  

Good catch!

Acked-by: Veronika Kabatova <vkabatov@redhat.com>

>      if 'Date' not in mail:
> --
> 2.19.1
> 
>

Patch

diff --git a/patchwork/tests/test_mboxviews.py b/patchwork/tests/test_mboxviews.py
index 50444d65..87c75eca 100644
--- a/patchwork/tests/test_mboxviews.py
+++ b/patchwork/tests/test_mboxviews.py
@@ -111,6 +111,21 @@  class MboxHeaderTest(TestCase):
         header = 'List-Id: Patchwork development <patchwork.lists.ozlabs.org>'
         self._test_header_passthrough(header)
 
+    def _test_header_dropped(self, header):
+        patch = create_patch(headers=header + '\n')
+        response = self.client.get(reverse('patch-mbox', args=[patch.id]))
+        self.assertNotContains(response, header)
+
+    def test_header_dropped_content_transfer_encoding(self):
+        """Validate dropping of 'Content-Transfer-Encoding' header."""
+        header = 'Content-Transfer-Encoding: quoted-printable'
+        self._test_header_dropped(header)
+
+    def test_header_dropped_content_type_multipart_signed(self):
+        """Validate dropping of 'Content-Type=multipart/signed' header."""
+        header = 'Content-Type: multipart/signed'
+        self._test_header_dropped(header)
+
     def test_patchwork_id_header(self):
         """Validate inclusion of generated 'X-Patchwork-Id' header."""
         patch = create_patch()
diff --git a/patchwork/views/utils.py b/patchwork/views/utils.py
index 3c5d2982..1da1aaab 100644
--- a/patchwork/views/utils.py
+++ b/patchwork/views/utils.py
@@ -84,8 +84,14 @@  def _submission_to_mbox(submission):
 
     orig_headers = HeaderParser().parsestr(str(submission.headers))
     for key, val in orig_headers.items():
+        # we set this ourselves
         if key == 'Content-Transfer-Encoding':
             continue
+        # we don't save GPG signatures described in RFC1847 [1] so this
+        # Content-Type value is invalid
+        # [1] https://tools.ietf.org/html/rfc1847
+        if key == 'Content-Type' and val == 'multipart/signed':
+            continue
         mail[key] = val
 
     if 'Date' not in mail: