On Mon, Jul 25, 2011 at 09:44:17PM +0300, Daniel Shahaf wrote:
> s...@apache.org wrote on Mon, Jul 25, 2011 at 14:33:33 -0000:
> > + /* Send LC_CTYPE to the gpg-agent daemon. */
> > + lc_ctype = getenv("LC_CTYPE");
> > + if (lc_ctype == NULL)
> > + lc_ctype = getenv("LC_ALL");
> > + if (lc_ctype == NULL)
> > + lc_ctype = getenv("LANG");
> > + if (lc_ctype != NULL)
> > + {
> > + request = apr_psprintf(pool, "OPTION lc-ctype=%s\n", lc_ctype);
>
> You're passing an environment variable to gpg-agent unescaped. Suppose
> I could control the value of that variable in your environment. (Yes,
> this is a contrived situation.) What could I do then?
Issue arbitrary commands to the agent. But the response will be read
back by svn.
I am not sure what kind of commands there are (or will be added in
future) that would be useful to you in that situation.
If you can already control a user's env vars you can likely
go a simpler route: Just talk to the agent and get the password
from it. All you need to know is the MD5 hash of the auth realm.
Try all of the ones in ~/.subversion/auth/svn.simple and you'll
likely get a password.
As I sad on IRC, I don't think running a gpg-agent with the password
cached is any safer than putting the password in a plain-text file
with restricted access permissions. The only difference is that the
cached password doesn't survive a reboot and times out after a while.
