How encrypt data/text stream instead of a file?

Werner Koch wk at
Fri Dec 19 12:03:48 CET 2008

On Thu, 18 Dec 2008 19:01, dshaw at said:

>   my_gpg_stream=popen("gpg -o - -r whoever -e the-file-to-encrypt ..etc...","r");

We all now that but anyway:

Please make 100% sure that you don't insert any data (filenames, user
IDS, etc) you received from a user into the command line passed to

popen uses the shell to execute gpg and thus all kind of shell quoting
tricks can be used to take over the system.  If you really need to
insert data received from the user, screen the data against a list of
innocent characters (i.e. "[a-zA-Z0-9_.-]") and reject it if you notice
any other character.



Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-users mailing list