Story #6277
Updated by Tom Clegg over 9 years ago
A valid manifest format has three kinds of tokens: stream name, block locator, and file.
The current manifest parsing code (including signature validation and generation) has some implicit assumptions that it's working on a valid manifest, but:
* there are some cases of "check this token just in case the manifest isn't valid" that could be optimized out if we had checked beforehand.
* there are almost certainly some remaining loopholes with undefined behavior. For example, if a line (invalidly) starts with a block locator, does its signature get checked on the way in? Does it get a new signature on the way out? If the answers are "no" and "yes" respectively, it's a trivial exploit.
Rather than litter the signature code with edge cases covering invalid manifests, we should validate the format before doing any further parsing/munging operations. Subsequent manipulations can safely make the simplifying assumption that the manifest is valid.