Noob trying to get gunpg working

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

aladdinsane
Forum Commoner
Posts: 38
Joined: Fri Sep 05, 2003 2:15 pm

Post by aladdinsane »

Hi,

Right I have done that. It produces a long list of details but I can't see where it says what user the script runs as.

Can you help me, please? I am tearing my hair out over this!

Thanks

Keith
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

well, ok lets assume it works ok if you did in fact change permissions to private executable (0700)..

now try this:

echo '<PRE>';
passthru ('/usr/bin/gpg --homedir /home/username/.yourgpgdir --list-keys 2>&1');

(May need to change the path to gpg).
That should output a list of the public keys held, does this work?
aladdinsane
Forum Commoner
Posts: 38
Joined: Fri Sep 05, 2003 2:15 pm

Post by aladdinsane »

Hi,

Yes that worked. I got a list of keys.

I had to put

echo'';

first though. Without I get malformed header errors.

Seems like we are getting somewhere!

Do go on...

Thanks

Keith
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

echo ''; would fix header probs? that is weird, sounds like that system may have the cli version of php, or the cgiwrapper is broken, try this as the first line of output instead:

echo 'Content-Type: text/html'."\r\n\r\n";

ok, so we know that gpg works now as your own user, now try this:

echo '<pre>';
passthru("echo 'test' | /usr/bin/gpg -ear touser --always-trust --homedir /home/usr/.mygpgpdir 2&>1");

where touser is the username of the receiver (no need to input full email, just the common user/nick you gave it is enough, whatever works on commandline)

what does that give?
aladdinsane
Forum Commoner
Posts: 38
Joined: Fri Sep 05, 2003 2:15 pm

Post by aladdinsane »

Hi,

That gives me a blank page with no output.

Edited -

I just looked via ftp and it seems to have created a file called '1' containing -

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: fatal: ~/.gnupg: can't create directory: No such file or directory
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/16384

Keith
aladdinsane
Forum Commoner
Posts: 38
Joined: Fri Sep 05, 2003 2:15 pm

Post by aladdinsane »

Hi,

I think we've cracked it. I have now made a script that sends me an encrypted e-mail that when unencrypted contains the correct output.

Here is the script. Is it now secure?

Code: Select all

#!/usr/bin/php
<? 
//build the message string 
$msg = "Hello this is a test of my own encryption script"; 

//set the environment variable for GNUPGHOME 
putenv("GNUPGHOME=/home/username/.gnupg"); 

$crypted = "/home/username/public_html/dev/coded.txt"; 

//invoke GNUPG to encrypt form contents 

system("echo '$msg' | /usr/bin/gpg --homedir /home/username/.gnupg --batch --always-trust -eatr keith@anemailaddress.co.uk -o $crypted"); 

//open file and read encrypted contents into var 
$fd = fopen($crypted, "r"); 
$mail_cont = fread($fd, filesize($crypted)); 
fclose($fd); 

//delete files! 
unlink($crypted); 

// Build mail message and send it to target recipient. 
$recipient = "keith@anemailaddress.co.uk"; 
$subject = "Secret Message"; 

$mailheaders = "From: My Web Site\n"; 
$mailheaders .= "Reply-To: $sender_email\n\n"; 

mail("$recipient", "$subject", $mail_cont, $mailheaders); 

// Print confirmation to screen.
echo'';
echo " 
<H1 align=center>$msg</h1> 
<p align=center>Your secret message has been sent.</p> 
"; 
?>
Many Thanks

Keith
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

The reason it gave no output was that everything was sent to the file 1, I typoed, the redirection should be 2>&1 (move the ampersand)

Your script is not very secure, for instance your ar using uncontrolled text in shell execution, this is very very bad (ALWAYS use escapeshellarg), and your script may fail if more than one person is acessing it at the same time (No point wasting disk resources by writing a file either).

I would suggest that you now use the code that I posted in my first post, just correct the typo that caused the parse error, add the -t to options if you need that..

If it doesnt work, add the 2>&1 at the end to redirect errors to stdout so you can read them..
aladdinsane
Forum Commoner
Posts: 38
Joined: Fri Sep 05, 2003 2:15 pm

Post by aladdinsane »

Hi,

I have done a fair bit of work on the script since the last post. It now takes form input correctly. The filename contains a random element to stop trouble from more than 1 user accessing it.

What I want to do is add the escapeshellarg. But when I add this it doesn't work it show's it in the text of the e-mail.

Can someone help me write this line so it includes the escapeshellarg

system("echo '$msg' | /usr/bin/gpg --homedir /home/username/.gnupg --batch --always-trust -eatr keith@email.co.uk -o $crypted");

Stoker thank-you very much for all of your help on this. I really appreciate it.

Code: Select all

#!/usr/bin/php
<? 
$msg ="$sender_name\n";
$msg .="$sender_email\n";
$msg .="$message";

$randomfile = rand (1, 1234567890);
$crypted = ("/home/username/public_html/dev/".$randomfile);

//invoke GNUPG to encrypt form contents 

system("echo '$msg' | /usr/bin/gpg --homedir /home/username/.gnupg --batch --always-trust -eatr keith@email.co.uk -o $crypted"); 

//delete variable containing user input

$msg = "";

//open file and read encrypted contents into var 
$fd = fopen($crypted, "r"); 
$mail_cont = fread($fd, filesize($crypted)); 
fclose($fd); 

//delete files! 
unlink($crypted); 

// Build mail message and send it to target recipient. 
$recipient = "keith@email.co.uk"; 
$subject = "Secret Message"; 

$mailheaders = "From: My Web Site\n"; 
$mailheaders .= "Reply-To: $sender_email\n\n"; 

mail("$recipient", "$subject", $mail_cont, $mailheaders); 

// Print confirmation to screen.
echo ""; 
echo " 
<H1 align=center>Thank You, $msg</h1> 
<p align=center>Your secret message has been sent.</p> 
"; 
?>
aladdinsane
Forum Commoner
Posts: 38
Joined: Fri Sep 05, 2003 2:15 pm

Post by aladdinsane »

Hi,

Some notes on my escapeshellarg problem. If I use -

$msg ="$sender_name\n";
$msg .="$sender_email\n";
$msg .="$message";

$msg = escapeshellarg($msg)

the whole script stops working properly.

If I use -

$msg ="$sender_name";
$msg .="$sender_email";
$msg .="$message";

$msg = escapeshellarg($msg)

it works but there are no line breaks in my e-mail.

How can I get around this?

Thanks

Keith
aladdinsane
Forum Commoner
Posts: 38
Joined: Fri Sep 05, 2003 2:15 pm

Post by aladdinsane »

Hi,

This now seems to work. Are there any more security holes to fill? One question should I be using escapeshellarg or escapeshellcmd?

Thanks

Keith

Code: Select all

#!/usr/bin/php
<? 
$msg = escapeshellarg($sender_name); 
$msg .="\n";
$msg .= escapeshellarg($sender_email);
$msg .="\n";
$msg .= escapeshellarg($message);

$randomfile = rand (1, 1234567890);
$crypted = ("/home/friendsh/public_html/dev/".$randomfile);

//invoke GNUPG to encrypt form contents 

system("echo '$msg' | /usr/bin/gpg --homedir /home/friendsh/.gnupg --batch --always-trust -eatr keith@anemail.co.uk -o $crypted"); 


//empty variable containing user input

$msg = "";

//open file and read encrypted contents into var 
$fd = fopen($crypted, "r"); 
$mail_cont = fread($fd, filesize($crypted)); 
fclose($fd); 

//delete files! 
unlink($crypted); 

// Build mail message and send it to target recipient. 
$recipient = "keith@anemail.co.uk"; 
$subject = "Secret Message"; 

$mailheaders = "From: My Web Site\n"; 
$mailheaders .= "Reply-To: $sender_email\n\n"; 

mail("$recipient", "$subject", $mail_cont, $mailheaders); 

// Print confirmation to screen.
echo ""; 
echo " 
<H1 align=center>Thank You, $msg</h1> 
<p align=center>Your secret message has been sent.</p> 
"; 
?>
Last edited by aladdinsane on Tue Sep 09, 2003 7:19 pm, edited 1 time in total.
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

no no, do NOT use escapeshellarg multiple times, you take your whole complete message and do escapeshellarg ONCE to make it a single argument for the systems echo command, look at the first sample I posted.

Why are you using a hard file? There is no need to do that, it just creates a lot of operations, and from a paranoid point of viuew there is no need to write the encrypted data to disk
aladdinsane
Forum Commoner
Posts: 38
Joined: Fri Sep 05, 2003 2:15 pm

Post by aladdinsane »

Hi,

I know my current script works except when I try to add the escapeshellarg in the system() call.

I saw your first post but I am unsure of how to write this code correctly. This is my first time writing a system() code and I am struggling to get this bit to work as I do not know the syntax of this.

Can you help me with the particular line I want to write because I know it works and all the options are in the correct order. This is the line I want to add the escapeshellarg () to -

Code: Select all

system("echo '$msg' | /usr/bin/gpg --homedir /home/username/.gnupg --batch --always-trust -eatr keith@email.co.uk -o $crypted");
Incidentally does using the escapeshellarg repeatedly still work? Is the problem just that it is not efficient calling it several times?

Many Thanks

Keith
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

You are missunderstanding what escapeshellarg does and how the command line works, an argument is a single whitespace separated token, if the token contains whitespace or other control characters these must be escaped and/or enclosed in quotes, escapeshellarg does all this for you..

I rewrote your script a bit here:

Code: Select all

#!/usr/bin/php
<?php

 # I dont know where you are getting $sender_name and the other variables from,
 # I suspect they are from a POST request, so I there for handle them safely here.
 # I assume magic quotes gpc is enabled.

 # Remove these lines if those vars are from elsewhere
 $sender_name   = strip_tags( strip_slashes( trim( $_REQUEST['sender_name'] )));
 $sender_email  = strip_tags( strip_slashes( trim( $_REQUEST['sender_email'] )));
 $message       = strip_tags( strip_slashes( trim( $_REQUEST['message'] )));
 # Done cleaning input, perhaps add some validation later?

 $_REQUEST = $_POST = $_GET = array();  # Paranoid

 # Email Message:
 $msg = 'Name: ' . $sender_name . "\n"
        . 'Email: ' . $sender_email . "\n"
        . 'Message:' . "\n" . $message . "\n";

 $message = '';  # Paranoid

 # System Call to encrypt email content
 exec('/bin/echo '. escapeshellarg ($msg)
        . ' | /usr/bin/gpg --homedir /home/user/.gpgdirsomewhere '
        . ' --batch --always-trust -eatr ''user@mail.co.uk''', $encoded);

 $msg = ''; # Paranoid

 # Build mail message and send it to target recipient.
 $recipient = 'user@mail.com';
 $subject = 'Secret Message';
 $mailheaders = "From: My Web Site\n"
                . "Reply-To: $sender_email\n";

 $result = mail($recipient, $subject, implode ('',$encoded), $mailheaders);
 $encoded = ''; # Paranoid

 # Print confirmation to screen.
 if (!$result) {  /* Do something when mail was not sent */ }
 else {
   ?> 
      <H1 align=center>Thank You, <?php echo htmlspecialchars($sender_name); ?></h1>
      <p align=center>Your secret message has been sent.</p>

   <?php
 }

?>
That will not waste resources on writing useless files..
Last edited by Stoker on Tue Sep 09, 2003 6:29 pm, edited 2 times in total.
aladdinsane
Forum Commoner
Posts: 38
Joined: Fri Sep 05, 2003 2:15 pm

Post by aladdinsane »

Hi,

Thanks for that.

Unfortunately there are some errors.

1) Call to underfined function strip_slashes()

Removed these lines and it gets past here and sends the e-mail.

2) The e-mail contains the data but it is all in a long line so pgp will not read it. I didn't have this problem before.

Keith
User avatar
Stoker
Forum Regular
Posts: 782
Joined: Thu Jan 23, 2003 9:45 pm
Location: SWNY
Contact:

Post by Stoker »

1) User stripslashes, a typo

2) change the mailing line to
$result = mail($recipient, $subject, implode ("\r\n",$encoded), $mailheaders);
Post Reply