possible security hole

Derek Vokey turfdog@planetturf.ca
Mon, 4 Dec 2000 19:08:16 -0800


I've created a php script which uses pipes in execting a shell such as:

"echo $sensitiveinfo|gpg  --homedir /my/home/dir --always-trust -ear me|mail
to\@me.com"

the script runs as nobody
the secret key has never seen the server
the script only encrypts
I don't care who the message comes from I only want the $sensitiveinfo

I was told that this is insecure (even if no one breaks root!).


Could someone with more expertise PLEASE give me an opinion?
p.s. I know that you are sick of these questions
(thank you for your program and your patience Werner!)
Thank you
in advance
Derek






-- 
Archive is at http://lists.gnupg.org - Unsubscribe by sending mail
with a subject of  "unsubscribe"  to gnupg-users-request@gnupg.org