[PATCH] Don't passthrough 'Content-Type: multipart/signed' header

Stephen Finucane stephen at that.guru
Mon Nov 5 01:27:04 AEDT 2018 

We don't GPG signatures, therefore this header is incorrect. Stop
passing it through.

Test for the other dropped header are also included.

Signed-off-by: Stephen Finucane <stephen at that.guru>
Cc: Veronika Kabatova <vkabatov at redhat.com>
Closes: #221
---
 patchwork/tests/test_mboxviews.py | 15 +++++++++++++++
 patchwork/views/utils.py          |  6 ++++++
 2 files changed, 21 insertions(+)

diff --git a/patchwork/tests/test_mboxviews.py b/patchwork/tests/test_mboxviews.py
index 50444d65..87c75eca 100644
--- a/patchwork/tests/test_mboxviews.py
+++ b/patchwork/tests/test_mboxviews.py
@@ -111,6 +111,21 @@ class MboxHeaderTest(TestCase):
         header = 'List-Id: Patchwork development <patchwork.lists.ozlabs.org>'
         self._test_header_passthrough(header)
 
+    def _test_header_dropped(self, header):
+        patch = create_patch(headers=header + '\n')
+        response = self.client.get(reverse('patch-mbox', args=[patch.id]))
+        self.assertNotContains(response, header)
+
+    def test_header_dropped_content_transfer_encoding(self):
+        """Validate dropping of 'Content-Transfer-Encoding' header."""
+        header = 'Content-Transfer-Encoding: quoted-printable'
+        self._test_header_dropped(header)
+
+    def test_header_dropped_content_type_multipart_signed(self):
+        """Validate dropping of 'Content-Type=multipart/signed' header."""
+        header = 'Content-Type: multipart/signed'
+        self._test_header_dropped(header)
+
     def test_patchwork_id_header(self):
         """Validate inclusion of generated 'X-Patchwork-Id' header."""
         patch = create_patch()
diff --git a/patchwork/views/utils.py b/patchwork/views/utils.py
index 3c5d2982..1da1aaab 100644
--- a/patchwork/views/utils.py
+++ b/patchwork/views/utils.py
@@ -84,8 +84,14 @@ def _submission_to_mbox(submission):
 
     orig_headers = HeaderParser().parsestr(str(submission.headers))
     for key, val in orig_headers.items():
+        # we set this ourselves
         if key == 'Content-Transfer-Encoding':
             continue
+        # we don't save GPG signatures described in RFC1847 [1] so this
+        # Content-Type value is invalid
+        # [1] https://tools.ietf.org/html/rfc1847
+        if key == 'Content-Type' and val == 'multipart/signed':
+            continue
         mail[key] = val
 
     if 'Date' not in mail:
-- 
2.19.1

More information about the Patchwork mailing list