On Mon, Jul 16, 2018 at 4:08 PM Andrey Rahmatullin <
wrar@debian.org> wrote:
On Mon, Jul 16, 2018 at 03:49:18PM +0200, Dashamir Hoxha wrote:
> > > > ++ mktemp -d /dev/shm/pw.sh.XXXXXXXXXXXXX
> > > > + WORKDIR=/dev/shm/pw.sh.JHasAYH9zwYz1
> > > > [...]
> > > > + decrypt /home/pkern/.pw/pw.tgz
> > > > + local archive=/home/pkern/.pw/pw.tgz
> > > > + local 'opts=--quiet --yes --batch '
> > > > + [[ -z '' ]]
> > > > + gpg2 --quiet --yes --batch --passphrase-fd 0
> > /home/pkern/.pw/pw.tgz.gpg
> > > > + local err=0
> > > > + [[ 0 -ne 0 ]]
> > > > + tar -xzf /home/pkern/.pw/pw.tgz -C /dev/shm/pw.sh.JHasAYH9zwYz1
> > > > + rm -f /home/pkern/.pw/pw.tgz
> > > >
> > >
> > > So, you have not looked at the code trying to follow the logic.
> > > You have just tried to debug it. This way you cannot get the full
> > picture.
> > > But nevertheless it is useful for finding ways to break the script.
> > > By the way, you may notice that *there is* error checking there.
> > >
> > > This clearly writes the unencrypted tarball out to disk.
> > > >
> > >
> > > It writes to `/dev/shm` which is not disk.
> > So /home/pkern/.pw/pw.tgz is not "the unencrypted tarball"?
> >
>
> Now I see.
Can we assume you didn't look at the code trying to follow the logic and
you don't have the full picture?
Yes you can. I just looked at the example provided, but did not look carefully enough.
--
WBR, wRAR