cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Custom OpenSSL crypto engine not known to cURL

From: Camille Moncelier <moncelier_at_devlife.org>
Date: Thu, 1 Apr 2010 08:53:50 +0200

> I can think of arguments both for and against using the same name. But I'm
> curious in learning what the WORST is that could happen if an app wrongly
> would be made to load a config file (possibly by an inventive user). I'm
> really not into these details and I've not yet had any answers to these
> security-related concerns.

You could set up some _evil_ openssl engine and set init = 1 so
openssl try to initialize it automatically and TADA, (Bonus points if
the application is setuid root) :-)

-- 
Camille Moncelier
http://devlife.org/
If Java had true garbage collection, most programs would
delete themselves upon execution.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2010-04-01

This message: [ Message body ]
Next message: Toby Peterson: "Re: Need ur help ASAP"
Previous message: Anjalinbenedicta J: "Fw: Re: Need ur help ASAP"
Next in thread: Daniel Stenberg: "Re: Custom OpenSSL crypto engine not known to cURL"
Reply: Daniel Stenberg: "Re: Custom OpenSSL crypto engine not known to cURL"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]