possible security hole

Jason Martin jhmartin@mail.com
Mon, 4 Dec 2000 19:23:01 -0800 (PST) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>briefly explain encoding to base64


It takes binary (and text) input and uses A-Za-z0-9 and = to encode the
data in one long string. It is equivalent to uuencoding.  It is a clean
way to bandy about 'dirty' strings.  PHP has a function base64_encode()
and base64_decode() to handle this. I recommend you encode the data as
such before handing it off to gpg.  Decoding can be done with any number
of tools, one being 'mimencode -u' under linux. uudecode -m can probably
do it too.


> > shell can be tricked depending on $sensitiveinfo to do things you don't

> > intend. Maybe if you base64 encode $sensitiveinfo first you'll be

> > more-or-less immune from shell exploits. From a purely crypto point of

> > view; I don't see anything wrong with this if we assume that

> > $sensitiveinfo is guarenteed to have shell-safe values.

> >

> > > "echo $sensitiveinfo|gpg  --homedir /my/home/dir --always-trust -ear

> me|mail

> > > to\@me.com"

> > >

> > > the script runs as nobody

> > > the secret key has never seen the server

> > > the script only encrypts

> > > I don't care who the message comes from I only want the $sensitiveinfo


- -- 
Cats have nine lives - but sleep through eight of them.
PGP KeyID=0xEA954813
Fingerprint:3B07 518C D76E 572F 7DAA  88A5 9763 835A EA95 4813
finger jhmartin@pitr.scs.wsu.edu for key

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
Filter: gpg4pine 4.1 (http://azzie.robotics.net)

iQEMBAERAgDMBQI6LF+lnRSAAAAAAAgAjEdlZWtDb2RlIkdDUyBkLSBzKzogYS0t
IEMrKyBVTCsrKysgUCsrIEwrKysgRS0tLSBXKysrIE4rKyBvLS0gSy0gdy0tLSBP
LSBNLS0gVi0tIFBTKysgUEUgWSsrKyBQR1ArKysgdCsrKyA1KysgWCsgUiB0disg
YisgREkrKysrIEQgRy0tIGUrKyBoIHIrKyB5PyIUFIAAAAAACQACU2xpbVNoYWR5
bm8SFIAAAAAABgADTm9va2lleWVzAAoJEJdjg1rqlUgT7UcAoJHzmzI87ipvjwg5
7cfk3HzHnK6CAJ47ZgBHMRCk26hKnLGbclOzV00Mrg==
=2U4p
-----END PGP SIGNATURE-----

-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org