Reading new key packages (Re: Coexistence with OpenPGP/IETF)
Stephan Verbücheln
verbuecheln at posteo.de
Sat Jan 6 18:29:19 CET 2024
What about malicious filenames?
What about “document.pdf.gpg” decrypting to “malware.exe”, because that
is what the metadata filename field says?
What about “../../../../../dangerous/file” in the metadata filename
field?
It seems that filenames in metadata open all kinds of problems that we
already know from tar, zip etc. These tools already do a lot of effort
to deal with all the edge cases. It appears to be an unnecessary risk
to have this redundant feature in PGP as well.
Regards
Stephan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: This is a digitally signed message part
URL: <https://librepgp.org/pipermail/librepgp-discuss/attachments/20240106/6f491643/attachment.sig>
More information about the LibrePGP-discuss
mailing list