RubyGems - schleuder - Versions diffs - 3.3.0 → 3.4.1 - Mend

schleuder 3.3.0 → 3.4.1

Files changed (12) hide show

checksums.yaml +4 -4
data/README.md +4 -4
data/etc/list-defaults.yml +1 -1
data/lib/schleuder/cli.rb +8 -3
data/lib/schleuder/filters/post_decryption/90_strip_html_from_alternative_if_keywords_present.rb +21 -0
data/lib/schleuder/gpgme/ctx.rb +23 -2
data/lib/schleuder/logger_notifications.rb +6 -1
data/lib/schleuder/mail/message.rb +4 -5
data/lib/schleuder/version.rb +1 -1
data/locales/de.yml +1 -0
data/locales/en.yml +1 -0
metadata +8 -7

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 637d9f0b81f2cb7aaee30a9761eeb0f09f49d95649a00d735ce13ecd008abdad
-  data.tar.gz: ca41b305951ef8ac0fb7edfb42e87521cf1d2ce5e51be6ceaa3c57c933846067
+  metadata.gz: 3127723694c9320dbc25abc2bd7d5de2a0ca22d587c794bb36be5ae09fdf63f0
+  data.tar.gz: dfdcd502ca1498883cd931004034c7c4f8874271c06499bc39591cba407130a8
 SHA512:
-  metadata.gz: 3b7f8cd46761314484df53f64ba3d929c75eccdfd4c7a2c7ce87d76720b6fa1025d59f370126b107b08a19b9916fe7e160563739a1058dc88a537acd744af212
-  data.tar.gz: 149620dc7fc6549391af197396b68c8cf42b990e037d2224e337db57af00f90edb293e23120a8f2f8156e40cbfadcd35bca1009d066ba2126f98c4b7c90ae29a
+  metadata.gz: 31e3a5ed4c50043c7f0324f60595023cfc51766eca36aae32d326cffdcb81f09a3ad4798d4a96e43e99d67b768ab620dfe5b686ce95aeb5132f02e674cbc483a
+  data.tar.gz: bf93269f6737cfa57ce71474e15275e2379ea9c45cfc680698912d68674d0bd39a0d855ebbf09b59bdc00165948c81bc037b109012fd1b6b4a86f1664a9fcbb7

data/README.md CHANGED

@@ -47,15 +47,15 @@ Additionally these **rubygems** are required (will be installed automatically un
 Installing Schleuder
 ------------
-1. Download [the gem](https://schleuder.org/download/schleuder-3.3.0.gem) and [the OpenPGP-signature](https://schleuder.org/download/schleuder-3.3.0.gem.sig) and verify:
+1. Download [the gem](https://schleuder.org/download/schleuder-3.4.1.gem) and [the OpenPGP-signature](https://schleuder.org/download/schleuder-3.4.1.gem.sig) and verify:
    ```
    gpg --recv-key 0xB3D190D5235C74E1907EACFE898F2C91E2E6E1F3
-   gpg --verify schleuder-3.3.0.gem.sig
+   gpg --verify schleuder-3.4.1.gem.sig
    ```
 2. If all went well install the gem:
    ```
-   gem install schleuder-3.3.0.gem
+   gem install schleuder-3.4.1.gem
    ```
 3. Set up schleuder:
@@ -145,4 +145,4 @@ GNU GPL 3.0. Please see [LICENSE.txt](LICENSE.txt).
 Alternative Download
 --------------------
-Alternatively to the gem-files you can download the latest release as [a tarball](https://schleuder.org/download/schleuder-3.3.0.tar.gz) and [its OpenPGP-signature](https://schleuder.org/download/schleuder-3.3.0.tar.gz.sig).
+Alternatively to the gem-files you can download the latest release as [a tarball](https://schleuder.org/download/schleuder-3.4.1.tar.gz) and [its OpenPGP-signature](https://schleuder.org/download/schleuder-3.4.1.tar.gz.sig).

data/etc/list-defaults.yml CHANGED

@@ -6,7 +6,7 @@
 #
 # Options are listed with the behaviour encoded in the database schema.
-# Only send out enrypted emails to subscriptions?
+# Only send out encrypted emails to subscriptions?
 # (This setting does not affect resend-messages.)
 send_encrypted_only: true

data/lib/schleuder/cli.rb CHANGED

@@ -67,6 +67,7 @@ module Schleuder
     desc 'refresh_keys [list1@example.com]', "Refresh all keys of all list from the keyservers sequentially (one by one or on the passed list). (This is supposed to be run from cron weekly.)"
     def refresh_keys(list=nil)
+      GPGME::Ctx.send_notice_if_gpg_does_not_know_import_filter
       work_on_lists(:refresh_keys,list)
       permission_notice
     end
@@ -319,11 +320,15 @@ Please notify the users and admins of this list of these changes.
     private
     def work_on_lists(subj, list=nil)
-      selected_lists = if list.nil?
-        List.all
+      if list.nil?
+        selected_lists = List.all
       else
-        List.where(email: list)
+        selected_lists = List.where(email: list)
+        if selected_lists.blank?
+          error("No list with this address exists: #{list.inspect}")
+        end
       end
       selected_lists.each do |list|
         I18n.locale = list.language
         output = list.send(subj)

data/lib/schleuder/filters/post_decryption/90_strip_html_from_alternative_if_keywords_present.rb ADDED

@@ -0,0 +1,21 @@
+module Schleuder
+  module Filters
+    def self.strip_html_from_alternative_if_keywords_present(list, mail)
+      if mail[:content_type].blank? ||
+          mail[:content_type].content_type != 'multipart/alternative' ||
+          mail.keywords.blank?
+        return false
+      end
+      Schleuder.logger.debug 'Stripping html-part from multipart/alternative-message because it contains keywords'
+      mail.parts.delete_if do |part|
+        part[:content_type].content_type == 'text/html'
+      end
+      mail.content_type = 'multipart/mixed'
+      mail.add_pseudoheader(:note, I18n.t('pseudoheaders.stripped_html_from_multialt_with_keywords'))
+    end
+  end
+end

data/lib/schleuder/gpgme/ctx.rb CHANGED

@@ -103,7 +103,7 @@ module GPGME
     end
     def refresh_key(fingerprint)
-      args = "#{keyserver_arg} --refresh-keys #{fingerprint}"
+      args = "#{keyserver_arg} #{import_filter_arg} --refresh-keys #{fingerprint}"
       gpgerr, gpgout, exitcode = self.class.gpgcli(args)
       if exitcode > 0
@@ -136,7 +136,8 @@ module GPGME
       arguments, error = fetch_key_gpg_arguments_for(input)
       return error if error
-      gpgerr, gpgout, exitcode = self.class.gpgcli(arguments)
+      self.class.send_notice_if_gpg_does_not_know_import_filter
+      gpgerr, gpgout, exitcode = self.class.gpgcli("#{import_filter_arg} #{arguments}")
       # Unfortunately gpg doesn't exit with code > 0 if `--fetch-key` fails.
       if exitcode > 0 || gpgerr.grep(/ unable to fetch /).presence
@@ -270,5 +271,25 @@ module GPGME
         ""
       end
     end
+    def self.gpg_knows_import_filter?
+      sufficient_gpg_version?('2.1.15')
+    end
+    def import_filter_arg
+      if self.class.gpg_knows_import_filter?
+        %{ --import-filter drop-sig='sig_created_d > 0000-00-00'}
+      end
+    end
+    def self.send_notice_if_gpg_does_not_know_import_filter
+      if ! gpg_knows_import_filter?
+        Schleuder.logger.notify_superadmin(
+            subject: 'Schleuder installation problem',
+            message: "Your version of GnuPG is very old, please update!\n\nWith your version of GnuPG we can not protect your setup against signature flooding. Please update to at least version 2.1.15 to fix this problem. See <https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html> for details on the background."
+          )
+        ''
+      end
+    end
   end
 end

data/lib/schleuder/logger_notifications.rb CHANGED

@@ -18,9 +18,14 @@ module Schleuder
       notify_admin(string, original_message)
     end
-    def notify_admin(thing, original_message=nil, subject='Error')
+    def notify_superadmin(message:, original_message: nil, subject: 'Error')
+      notify_admin(message, original_message, subject, superadmin)
+    end
+    def notify_admin(thing, original_message=nil, subject='Error', recipients=nil)
       # Minimize using other classes here, we don't know what caused the error.
       msg_parts = convert_to_msg_parts(thing, original_message)
+      recipients ||= adminaddresses
       Array(adminaddresses).each do |address, key|
         mail = Mail.new
         mail.from = @from

data/lib/schleuder/mail/message.rb CHANGED

@@ -53,13 +53,12 @@ module Mail
       # headers, which reveals protected subjects.
       if self.subject != new.subject
         new.protected_headers_subject = self.subject.dup
-        # Delete the protected headers which might leak information.
-        if new.parts.first.content_type == "text/rfc822-headers; protected-headers=v1"
-          new.parts.shift
-        end
       end
+      # Delete the protected headers which might leak information.
+      if new.parts.first && new.parts.first.content_type == "text/rfc822-headers; protected-headers=v1"
+        new.parts.shift
+      end
       new
     end

data/lib/schleuder/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Schleuder
-  VERSION = '3.3.0'
+  VERSION = '3.4.1'
 end

data/locales/de.yml CHANGED

@@ -251,6 +251,7 @@ de:
     invalid_input: "Ungültige Angabe. Gültig sind: URLs, OpenPGP-Fingerabdrücke, oder Emailadressen."
   pseudoheaders:
     stripped_html_from_multialt: Diese Email enthielt einen alternativen HTML-Teil, der PGP-Daten beinhaltete. Der HTML-Teil wurde entfernt, um die Email sauberer analysieren zu können.
+    stripped_html_from_multialt_with_keywords: Diese Email enthielt Schlüsselwörter und einen alternativen HTML-Teil. Der HTML-Teil wurde entfernt, um zu verhindern dass diese Schlüsselwörter Aussenstehenden bekannt werden.
   signature_states:
     unknown: "Unbekannte Signatur von unbekanntem Schlüssel 0x%{fingerprint}"
     unsigned: "Unsigniert"

data/locales/en.yml CHANGED

@@ -255,6 +255,7 @@ en:
     invalid_input: "Invalid input. Allowed are: URLs, OpenPGP-fingerprints, or email-addresses."
   pseudoheaders:
     stripped_html_from_multialt: This message included an alternating HTML-part that contained PGP-data. The HTML-part was removed to enable parsing the message more properly.
+    stripped_html_from_multialt_with_keywords: This message included keywords and an alternating HTML-part. The HTML-part was removed to prevent the disclosure of these keywords to third parties.
   signature_states:
     unknown: "Unknown signature by unknown key 0x%{fingerprint}"
     unsigned: "Unsigned"

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: schleuder
 version: !ruby/object:Gem::Version
-  version: 3.3.0
+  version: 3.4.1
 platform: ruby
 authors:
 - schleuder dev team
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2018-08-06 00:00:00.000000000 Z
+date: 2019-09-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: gpgme
@@ -36,14 +36,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.6.0
+        version: 2.7.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 2.6.0
+        version: 2.7.1
 - !ruby/object:Gem::Dependency
   name: mail-gpg
   requirement: !ruby/object:Gem::Requirement
@@ -112,14 +112,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: 1.3.6
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '1'
+        version: 1.3.6
 - !ruby/object:Gem::Dependency
   name: sinatra
   requirement: !ruby/object:Gem::Requirement
@@ -323,6 +323,7 @@ files:
 - lib/schleuder/filters/post_decryption/60_receive_signed_only.rb
 - lib/schleuder/filters/post_decryption/70_receive_encrypted_only.rb
 - lib/schleuder/filters/post_decryption/80_receive_from_subscribed_emailaddresses_only.rb
+- lib/schleuder/filters/post_decryption/90_strip_html_from_alternative_if_keywords_present.rb
 - lib/schleuder/filters/pre_decryption/10_forward_bounce_to_admins.rb
 - lib/schleuder/filters/pre_decryption/20_forward_all_incoming_to_admins.rb
 - lib/schleuder/filters/pre_decryption/30_send_key.rb
@@ -391,7 +392,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: "[none]"
-rubygems_version: 2.7.7
+rubygems_version: 2.7.6.2
 signing_key:
 specification_version: 4
 summary: Schleuder is a gpg-enabled mailing list manager with remailing-capabilities.