[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Execution of signed scripts received by e-mail



    Matt> Get one input line at a time, and look for Reply-To: and
    Matt> From: headers to get a reply address.  As we are slurping up
    Matt> lines, watch for '-----BEGIN PGP' lines.  If it is for

I suggest ignoring Reply-To: etc and requiring a return address inside
the signed region of the mail, otherwise someone could intercept the mail
(suppressing the original) and resend it from his account and the results
would get sent to the interceptor.
 Another idea would be to extract the return address from the PGP userid
which signed the script.

Regards
  Steffen

-- 
work: Steffen.Zahn%[email protected] | home: [email protected]
      phone:+49-30-38624969                     |       phone:+49-30-4732126
Any opinions expressed herein are not necessarily those of my employer.
Use of my addresses for unsolicited commercial advertising is forbidden.