Long tag form must not contain zero byte

diff --git a/VERSION b/VERSION
index 38abeb202c0e3b33b2a5a1b9e83a42789ffc88a5..25b629b0aa965f22239cb0927c9a3731a34d2c04 100644 (file)
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-7.6
+7.7

diff --git a/doc/install.rst b/doc/install.rst
index eb9c266b32d80c26eea36ecc234ae2e85223b431..b74a184aa7d36228fd9cecf88d2b91181df9dad6 100644 (file)
--- a/doc/install.rst
+++ b/doc/install.rst
@@ -4,11 +4,11 @@ Install
 Preferable way is to :ref:`download <download>` tarball with the
 signature from `official website <http://pyderasn.cypherpunks.ru/>`__::
 
-    $ [fetch|wget] http://pyderasn.cypherpunks.ru/pyderasn-7.6.tar.xz
-    $ [fetch|wget] http://pyderasn.cypherpunks.ru/pyderasn-7.6.tar.xz.sig
-    $ gpg --verify pyderasn-7.6.tar.xz.sig pyderasn-7.6.tar.xz
-    $ xz --decompress --stdout pyderasn-7.6.tar.xz | tar xf -
-    $ cd pyderasn-7.6
+    $ [fetch|wget] http://pyderasn.cypherpunks.ru/pyderasn-7.7.tar.xz
+    $ [fetch|wget] http://pyderasn.cypherpunks.ru/pyderasn-7.7.tar.xz.sig
+    $ gpg --verify pyderasn-7.7.tar.xz.sig pyderasn-7.7.tar.xz
+    $ xz --decompress --stdout pyderasn-7.7.tar.xz | tar xf -
+    $ cd pyderasn-7.7
     $ python setup.py install
     # or copy pyderasn.py (+six.py, possibly termcolor.py) to your PYTHONPATH
 
@@ -21,7 +21,7 @@ You can also find it mirrored on :ref:`download <download>` page.
 You could use pip (**no** OpenPGP authentication is performed!) with PyPI::
 
     $ cat > requirements.txt <<EOF
-    pyderasn==7.6 --hash=sha256:TO-BE-FILLED
+    pyderasn==7.7 --hash=sha256:TO-BE-FILLED
     six==1.14.0 --hash=sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a
     EOF
     $ pip install --requirement requirements.txt

diff --git a/doc/news.rst b/doc/news.rst
index d3286605c8ff30d672ec3324be7d15f073f754a7..7d523e81f16b12042323f8760b2b17d54f932cf2 100644 (file)
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -1,6 +1,13 @@
 News
 ====
 
+.. _release7.7:
+
+7.7
+---
+* Strictly check that tag's long encoded form does not contain leading zero
+  (X.690 8.1.2.4.2 (c))
+
 .. _release7.6:
 
 7.6

diff --git a/pyderasn.py b/pyderasn.py
index 15ca386b89894c7c4278fc2914f5ca9c3b44e199..df0eb8f2cabaa46430590bf1bbeeedc231e36d66 100755 (executable)
--- a/pyderasn.py
+++ b/pyderasn.py
@@ -1201,7 +1201,7 @@ except ImportError:  # pragma: no cover
     def colored(what, *args, **kwargs):
         return what
 
-__version__ = "7.6"
+__version__ = "7.7"
 
 __all__ = (
     "agg_octet_string",
@@ -1558,6 +1558,8 @@ def tag_strip(data):
             raise DecodeError("unfinished tag")
         if indexbytes(data, i) & 0x80 == 0:
             break
+    if i > 1 and indexbytes(data, 1) & 0x7F == 0:
+        raise DecodeError("leading zero byte in tag value")
     i += 1
     return data[:i], i, data[i:]
 

diff --git a/tests/test_pyderasn.py b/tests/test_pyderasn.py
index 9a38fdda58bccb1837161a3237cbd5fdc9771c3d..fcf8781fb50580d6f58a4dcf726be88267595067 100644 (file)
--- a/tests/test_pyderasn.py
+++ b/tests/test_pyderasn.py
@@ -276,6 +276,13 @@ class TestTagCoder(TestCase):
         with self.assertRaises(DecodeError):
             len_decode(octets)
 
+    @given(tag_classes, tag_forms, integers(min_value=31))
+    def test_leading_zero_byte(self, klass, form, num):
+        raw = tag_encode(klass=klass, form=form, num=num)
+        raw = b"".join((raw[:1], b"\x80", raw[1:]))
+        with assertRaisesRegex(self, DecodeError, "leading zero byte"):
+            tag_strip(raw)
+
 
 class TestLenCoder(TestCase):
     @settings(max_examples=LONG_TEST_MAX_EXAMPLES)