Idea #6277
Updated by Tom Clegg almost 9 years ago
A valid manifest format has three kinds of tokens: stream name, block locator, and file.
The current manifest parsing code (including signature validation and generation) has some implicit assumptions that it's working on a valid manifest, but:
* there are some cases of "check this token just in case the manifest isn't valid" that could be optimized out if we had checked beforehand.
* there are almost certainly some remaining loopholes with undefined behavior. For example, if a line (invalidly) starts with a block locator, does its signature get checked on the way in? Does it get a new signature on the way out? If the answers are "no" and "yes" respectively, it's a trivial exploit.
Rather than litter the signature code with edge cases covering invalid manifests, we should validate the format before doing any further parsing/munging operations. Subsequent manipulations can safely make the simplifying assumption that the manifest is valid.
The validation method itself should go in the Ruby SDK.
Valid manifest format is described at [[Keep manifest format]].