This line is problematic: https://github.com/python-otr/pure-python-otr/blob/staging/src/potr/proto.py#L134
Its purpose is to check that the parsed OTR tag advertises a correct protocol version by checking that the value is a digit.
First, since python3, isdigit() (and posssibly isdecimal and isnumeric) goes by a quite wider definition of "digit". For example, UTF-8 characters other than 0-9, but representing symbols containing a digit in them will match, as well as digits from other alphabets.
Example:
'9' == '⑨'
True
First, this caused panic and anger, but then, reading the OTRv2 spec:
"If she is willing to use OTR versions other than 1, a "v" followed by the byte identifiers for the versions in question, followed by "?". The byte identifier for OTR version 2 is "2". The order of the identifiers between the "v" and the "?" does not matter, but none should be listed more than once."
( https://otr.cypherpunks.ca/Protocol-v2-3.1.0.html )
we actually realised any byte might at some point designate a version. It just happens that the ascii value "2" was chosen.
In that context, a better option might be to remove this isdigit() test altogether, as it does not reflect a specification constraint.
This line is problematic: https://github.com/python-otr/pure-python-otr/blob/staging/src/potr/proto.py#L134
Its purpose is to check that the parsed OTR tag advertises a correct protocol version by checking that the value is a digit.
First, since python3, isdigit() (and posssibly isdecimal and isnumeric) goes by a quite wider definition of "digit". For example, UTF-8 characters other than 0-9, but representing symbols containing a digit in them will match, as well as digits from other alphabets.
Example:
First, this caused panic and anger, but then, reading the OTRv2 spec:
we actually realised any byte might at some point designate a version. It just happens that the ascii value "2" was chosen.
In that context, a better option might be to remove this isdigit() test altogether, as it does not reflect a specification constraint.