Bump version to 0.9.0 since this is now a feature release
- Update oversigned (frozen) header field list to reduce signature
fragility (removes 'date' and 'subject' fields from being oversigned by
default - see usage section of README for information on how to restore
the previous behavior)
- Added new add_should_not for DKIM/ARC classes to prevent additional
header fields from being signed
- Added 'from' to should sign list (to prevent it from not being signed at
all in the unusual event that 'from' is locally removed from the frozen
header field set (LP: #1525048)
- Updates for experimental ARC support:
- Specified that for ARC, Authentication-Results should not be signed
This commit is contained in:
Scott Kitterman
+23
-3
@@ -486,12 +486,12 @@ class DomainSigner(object):
|
||||
#:
|
||||
#: The short list below is the result more of instinct than logic.
|
||||
#: @since: 0.5
|
||||
FROZEN = (b'from',b'date',b'subject')
|
||||
FROZEN = (b'from',)
|
||||
|
||||
#: The rfc6376 recommended header fields to sign
|
||||
#: @since: 0.5
|
||||
SHOULD = (
|
||||
b'sender', b'reply-to', b'subject', b'date', b'message-id', b'to', b'cc',
|
||||
b'from', b'sender', b'reply-to', b'subject', b'date', b'message-id', b'to', b'cc',
|
||||
b'mime-version', b'content-type', b'content-transfer-encoding',
|
||||
b'content-id', b'content-description', b'resent-date', b'resent-from',
|
||||
b'resent-sender', b'resent-to', b'resent-cc', b'resent-message-id',
|
||||
@@ -526,11 +526,30 @@ class DomainSigner(object):
|
||||
>>> dkim = DKIM()
|
||||
>>> dkim.add_frozen(DKIM.RFC5322_SINGLETON)
|
||||
>>> [text(x) for x in sorted(dkim.frozen_sign)]
|
||||
['cc', 'date', 'from', 'in-reply-to', 'message-id', 'references', 'reply-to', 'sender', 'subject', 'to']
|
||||
['cc', 'date', 'from', 'in-reply-to', 'message-id', 'references', 'reply-to', 'sender', 'to']
|
||||
>>> dkim2 = DKIM()
|
||||
>>> dkim2.add_frozen((b'date',b'subject'))
|
||||
>>> [text(x) for x in sorted(dkim2.frozen_sign)]
|
||||
['date', 'from', 'subject']
|
||||
"""
|
||||
self.frozen_sign.update(x.lower() for x in s
|
||||
if x.lower() not in self.should_not_sign)
|
||||
|
||||
|
||||
def add_should_not(self,s):
|
||||
""" Add headers not in should_not_sign to frozen_sign.
|
||||
@param s: list of headers to add to frozen_sign
|
||||
@since: 0.5
|
||||
|
||||
>>> dkim = DKIM()
|
||||
>>> dkim.add_should_not(DKIM.RFC5322_SINGLETON)
|
||||
>>> [text(x) for x in sorted(dkim.should_not_sign)]
|
||||
['bcc', 'cc', 'comments', 'date', 'dkim-signature', 'in-reply-to', 'keywords', 'message-id', 'received', 'references', 'reply-to', 'resent-bcc', 'return-path', 'sender', 'to']
|
||||
"""
|
||||
self.should_not_sign.update(x.lower() for x in s
|
||||
if x.lower() not in self.frozen_sign)
|
||||
|
||||
|
||||
#: Load a new message to be signed or verified.
|
||||
#: @param message: an RFC822 formatted message to be signed or verified
|
||||
#: (with either \\n or \\r\\n line endings)
|
||||
@@ -900,6 +919,7 @@ class ARC(DomainSigner):
|
||||
timestamp=None, standardize=False):
|
||||
|
||||
INSTANCE_LIMIT = 50 # Maximum allowed i= value
|
||||
self.add_should_not(('Authentication-Results',))
|
||||
# check if authres has been imported
|
||||
try:
|
||||
AuthenticationResultsHeader
|
||||
|
||||
Reference in New Issue
Block a user