On Thu, 18 Dec 2008 19:01, ds...@jabberwocky.com said:
> my_gpg_stream=popen("gpg -o - -r whoever -e the-file-to-encrypt
> ..etc...","r");
We all now that but anyway:
Please make 100% sure that you don't insert any data (filenames, user
IDS, etc) you received from a user into the command line passed to
popen.
popen uses the shell to execute gpg and thus all kind of shell quoting
tricks can be used to take over the system. If you really need to
insert data received from the user, screen the data against a list of
innocent characters (i.e. "[a-zA-Z0-9_.-]") and reject it if you notice
any other character.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
