gpgme "Locate engine names only at runtime and prefer GnuPG-2" commit break Android
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Feb 20 15:40:01 CET 2014
On 02/20/2014 07:44 AM, Werner Koch wrote:
> On Thu, 20 Feb 2014 02:57, hans at guardianproject.info said:
>
>> Using env vars is not a feasible solution on Android. The hard-coded option
>> that existed worked well.
>
> The envvar is just PATH if it is missing the standard directories are
> searched:
>
> orig_path = getenv ("PATH");
> if (!orig_path)
> orig_path = "/bin:/usr/bin:.";
is including the current directory (.) in this path a good idea? This
implies that in the absence of $PATH, the behavior of gpgme will be
different depending on the directory from which it is invoked.
I could imagine this causing problems or opening vulnerabilities when
gpgme is used (for example) to process user-supplied files from a given
directory.
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20140220/f1a4aeb5/attachment.sig>
More information about the Gnupg-devel
mailing list