On Mon, Jul 25, 2011 at 09:44:17PM +0300, Daniel Shahaf wrote: > [email protected] wrote on Mon, Jul 25, 2011 at 14:33:33 -0000: > > + /* Send LC_CTYPE to the gpg-agent daemon. */ > > + lc_ctype = getenv("LC_CTYPE"); > > + if (lc_ctype == NULL) > > + lc_ctype = getenv("LC_ALL"); > > + if (lc_ctype == NULL) > > + lc_ctype = getenv("LANG"); > > + if (lc_ctype != NULL) > > + { > > + request = apr_psprintf(pool, "OPTION lc-ctype=%s\n", lc_ctype); > > You're passing an environment variable to gpg-agent unescaped. Suppose > I could control the value of that variable in your environment. (Yes, > this is a contrived situation.) What could I do then?
Issue arbitrary commands to the agent. But the response will be read back by svn. I am not sure what kind of commands there are (or will be added in future) that would be useful to you in that situation. If you can already control a user's env vars you can likely go a simpler route: Just talk to the agent and get the password from it. All you need to know is the MD5 hash of the auth realm. Try all of the ones in ~/.subversion/auth/svn.simple and you'll likely get a password. As I sad on IRC, I don't think running a gpg-agent with the password cached is any safer than putting the password in a plain-text file with restricted access permissions. The only difference is that the cached password doesn't survive a reboot and times out after a while.
