Re: Execution of signed scripts received by e-mail

[Matt Carpenter <mcarpent@Dusk.obscure.net>]

-----BEGIN PGP SIGNED MESSAGE-----

Steffen Zahn <zahn@berlin.snafu.de> writes:
>    Matt> Get one input line at a time, and look for Reply-To: and
>    att> From: headers to get a reply address.  As we are slurping up
>    Matt> lines, watch for '-----BEGIN PGP' lines.  If it is for
>
>I suggest ignoring Reply-To: etc and requiring a return address inside
>the signed region of the mail, otherwise someone could intercept the mail
>(suppressing the original) and resend it from his account and the results
>would get sent to the interceptor.

This is a very good suggestion.  I'll change emscrypt to use this.

> Another idea would be to extract the return address from the PGP userid
>which signed the script.

I see that Mark M. has already commented on this, but I'll also add that I
didn't want to limit the reply to the address attached to the key.  For
example, I have several accounts spread around, and I might want the replies
to go to anyone of them.

>Regards
>  Steffen

Thanks for the input.

- --Matt

- --
mcarpent@mailhost.tcs.tulane.edu

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBMejLASjtJAMyBnp9AQEWyAf+IgmEApjh7CGo+sdCueH9BPQKLb9Dk7Qj
1HK7HoR8Dz/TnDPLicJgiaYj9z8gDfGLYWu2L4UIDIgQukb3o1JWOshTQAgyoCe9
gYxTYHvroNqMvq3ptPeeY73NVGsyTZnlcYJ/dlhWT90jReCZmIcrbpJNt+TIgGcm
/s57Nw2zJzM8RrIWsCqs7gM0qogR2e71Gn4M+UFz9BfmMEw4X8qwZcD5M1//9VSi
TqDjWnVucuUoWVZk+Bb6lKcxPwlAx6BxUZLaNaZrPlqvrSYJS4l451vgWkpcixSy
Uuj+LU0cPd6qA3CHRHF4nllf3JcMP3uJeeWbmFjOZ+ItKkyQTSIVwQ==
=JIXQ
-----END PGP SIGNATURE-----