How encrypt data/text stream instead of a file?
Werner Koch
wk at gnupg.org
Fri Dec 19 12:03:48 CET 2008
On Thu, 18 Dec 2008 19:01, dshaw at jabberwocky.com said:
> my_gpg_stream=popen("gpg -o - -r whoever -e the-file-to-encrypt ..etc...","r");
We all now that but anyway:
Please make 100% sure that you don't insert any data (filenames, user
IDS, etc) you received from a user into the command line passed to
popen.
popen uses the shell to execute gpg and thus all kind of shell quoting
tricks can be used to take over the system. If you really need to
insert data received from the user, screen the data against a list of
innocent characters (i.e. "[a-zA-Z0-9_.-]") and reject it if you notice
any other character.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
More information about the Gnupg-users
mailing list