possible security hole

Jason Martin jhmartin@mail.com
Mon, 4 Dec 2000 19:23:01 -0800 (PST)

Hash: SHA1

>briefly explain encoding to base64
It takes binary (and text) input and uses A-Za-z0-9 and = to encode the data in one long string. It is equivalent to uuencoding. It is a clean way to bandy about 'dirty' strings. PHP has a function base64_encode() and base64_decode() to handle this. I recommend you encode the data as such before handing it off to gpg. Decoding can be done with any number of tools, one being 'mimencode -u' under linux. uudecode -m can probably do it too.
> > shell can be tricked depending on $sensitiveinfo to do things you don't
> > intend. Maybe if you base64 encode $sensitiveinfo first you'll be
> > more-or-less immune from shell exploits. From a purely crypto point of
> > view; I don't see anything wrong with this if we assume that
> > $sensitiveinfo is guarenteed to have shell-safe values.
> >
> > > "echo $sensitiveinfo|gpg --homedir /my/home/dir --always-trust -ear
> me|mail
> > > to\@me.com"
> > >
> > > the script runs as nobody
> > > the secret key has never seen the server
> > > the script only encrypts
> > > I don't care who the message comes from I only want the $sensitiveinfo
- -- Cats have nine lives - but sleep through eight of them. PGP KeyID=0xEA954813 Fingerprint:3B07 518C D76E 572F 7DAA 88A5 9763 835A EA95 4813 finger jhmartin@pitr.scs.wsu.edu for key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org Filter: gpg4pine 4.1 (http://azzie.robotics.net) iQEMBAERAgDMBQI6LF+lnRSAAAAAAAgAjEdlZWtDb2RlIkdDUyBkLSBzKzogYS0t IEMrKyBVTCsrKysgUCsrIEwrKysgRS0tLSBXKysrIE4rKyBvLS0gSy0gdy0tLSBP LSBNLS0gVi0tIFBTKysgUEUgWSsrKyBQR1ArKysgdCsrKyA1KysgWCsgUiB0disg YisgREkrKysrIEQgRy0tIGUrKyBoIHIrKyB5PyIUFIAAAAAACQACU2xpbVNoYWR5 bm8SFIAAAAAABgADTm9va2lleWVzAAoJEJdjg1rqlUgT7UcAoJHzmzI87ipvjwg5 7cfk3HzHnK6CAJ47ZgBHMRCk26hKnLGbclOzV00Mrg== =2U4p -----END PGP SIGNATURE----- -- Archive is at http://lists.gnupg.org - Unsubscribe by sending mail with a subject of "unsubscribe" to gnupg-users-request@gnupg.org