On Thu, 1 Apr 2010, Camille Moncelier wrote:
You could set up some _evil_ openssl engine and set init = 1 so openssl try
to initialize it automatically and TADA, (Bonus points if the application is
setuid root) :-)
Thank you. I'm not sure where this puts us.
Assuming an app wants to support custom crypto engines as Petr Pisar enabled
with his patch, and assuming the app runs as setuid root. How can the app
limit what evilness a user can trick it into doing?
It seems this subject died somewhat...
--
/ daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
