Stefan Sperling wrote on Mon, Jul 25, 2011 at 20:55:56 +0200:
> On Mon, Jul 25, 2011 at 09:44:17PM +0300, Daniel Shahaf wrote:
> > s...@apache.org wrote on Mon, Jul 25, 2011 at 14:33:33 -0000:
> > > + /* Send LC_CTYPE to the gpg-agent daemon. */
> > > + lc_ctype = getenv("LC_CTYPE");
> > > + if (lc_ctype == NULL)
> > > + lc_ctype = getenv("LC_ALL");
> > > + if (lc_ctype == NULL)
> > > + lc_ctype = getenv("LANG");
> > > + if (lc_ctype != NULL)
> > > + {
> > > + request = apr_psprintf(pool, "OPTION lc-ctype=%s\n", lc_ctype);
> >
> > You're passing an environment variable to gpg-agent unescaped. Suppose
> > I could control the value of that variable in your environment. (Yes,
> > this is a contrived situation.) What could I do then?
>
> Issue arbitrary commands to the agent. But the response will be read
> back by svn.
> I am not sure what kind of commands there are (or will be added in
> future) that would be useful to you in that situation.
>
On IRC you linked to
<http://www.gnupg.org/documentation/manuals/gnupg/Agent-Protocol.html>.
I'm also thinking on how this can affect third-party applications that
also use the same gpg-agent instance.
I'll look into that at some point.
> If you can already control a user's env vars you can likely
> go a simpler route: Just talk to the agent and get the password
> from it. All you need to know is the MD5 hash of the auth realm.
> Try all of the ones in ~/.subversion/auth/svn.simple and you'll
> likely get a password.
>
> As I sad on IRC, I don't think running a gpg-agent with the password
> cached is any safer than putting the password in a plain-text file
> with restricted access permissions. The only difference is that the
> cached password doesn't survive a reboot and times out after a while.
