Message 55346 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	gagern
Recipients	barry, collinwinter, gagern, georg.brandl
Date	2007-08-28.01:55:07
SpamBayes Score	0.26028627
Marked as misclassified	No
Message-id	<1188266108.44.0.614013799164.issue1670765@psf.upfronthosting.co.za>
In-reply-to

Content
Take the attached test5.eml. Run it through the following python script: import email print (email.message_from_file(open("test5.eml")).as_string(False)) The result will have both instances of the X-Long-Line header rewrapped. As the second instance is included in the digest calculation, the signature verification will now fail. This is a real world signature algorithm, following RFC 3156 (if I didn't make a mistake). If you have an OpenPGP-enabled mailreader (e.g. enigmail for Thunderbird) and have some way of injecting a mail as is into your mail folders (e.g. a maildir-based server), then you can use this setup to verify that the signature was correct in the first place and is broken after parsing and reconstruction by python. If you don't have such a setup available, and you don't believe me that rewrapping the header breaks the signature, then I could either devise some unrealistic but easy-to-check signing process, or could try to get this working with an S/MIME signature using an X.509 certificate. I would rather avoid this, though.

Take the attached test5.eml. Run it through the following python script:

import email
print (email.message_from_file(open("test5.eml")).as_string(False))

The result will have both instances of the X-Long-Line header rewrapped.
As the second instance is included in the digest calculation, the
signature verification will now fail.

This is a real world signature algorithm, following RFC 3156 (if I
didn't make a mistake). If you have an OpenPGP-enabled mailreader (e.g.
enigmail for Thunderbird) and have some way of injecting a mail as is
into your mail folders (e.g. a maildir-based server), then you can use
this setup to verify that the signature was correct in the first place
and is broken after parsing and reconstruction by python.

If you don't have such a setup available, and you don't believe me that
rewrapping the header breaks the signature, then I could either devise
some unrealistic but easy-to-check signing process, or could try to get
this working with an S/MIME signature using an X.509 certificate. I
would rather avoid this, though.

Files
File name	Uploaded
test5.eml	gagern, 2007-08-28.01:55:07

History
Date	User	Action	Args
2007-08-28 01:55:08	gagern	set	spambayes_score: 0.260286 -> 0.26028627 recipients: + gagern, barry, georg.brandl, collinwinter
2007-08-28 01:55:08	gagern	set	spambayes_score: 0.260286 -> 0.260286 messageid: <1188266108.44.0.614013799164.issue1670765@psf.upfronthosting.co.za>
2007-08-28 01:55:08	gagern	link	issue1670765 messages
2007-08-28 01:55:07	gagern	create