password-store

Simple password manager using gpg and ordinary unix directories
git clone https://git.zx2c4.com/password-store
Log | Files | Refs | README | LICENSE
commit 7252e8b3cf829e908179913daad16ff2b8bdefdd
parent c1b3ff04425844ed88fac2a634232bdb8e2662bc
Author: Stacey Sheldon <stac@solidgoldbomb.org>
Date:   Sun, 23 Jul 2017 15:37:33 -0400

protect dirname calls from pass-names that look like command-line options

With the $path variable being passed directly to dirname, any pass-names
provided by the user that happened to look like options to dirname would
be processed as options rather than as the path to be split.

This results in a real mess when you happen to run one of:

  pass edit --help
  pass generate --help
  pass insert --help

then in the cmd_foo() function, you have:

   mkdir -p -v "$PREFIX/$(dirname --help)"

which (due to the -p option to mkdir) results in the creation of an
entire directory hierarchy made up of the slash-separated help text from
dirname.

Diffstat:

Msrc/password-store.sh | 12++++++------


1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/password-store.sh b/src/password-store.sh
@@ -430,8 +430,8 @@ cmd_insert() {
 
 	[[ $force -eq 0 && -e $passfile ]] && yesno "An entry already exists for $path. Overwrite it?"
 
-	mkdir -p -v "$PREFIX/$(dirname "$path")"
-	set_gpg_recipients "$(dirname "$path")"
+	mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+	set_gpg_recipients "$(dirname -- "$path")"
 
 	if [[ $multiline -eq 1 ]]; then
 		echo "Enter contents of $path and press Ctrl+D when finished:"
@@ -464,8 +464,8 @@ cmd_edit() {
 
 	local path="${1%/}"
 	check_sneaky_paths "$path"
-	mkdir -p -v "$PREFIX/$(dirname "$path")"
-	set_gpg_recipients "$(dirname "$path")"
+	mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+	set_gpg_recipients "$(dirname -- "$path")"
 	local passfile="$PREFIX/$path.gpg"
 	set_git "$passfile"
 
@@ -506,8 +506,8 @@ cmd_generate() {
 	local length="${2:-$GENERATED_LENGTH}"
 	check_sneaky_paths "$path"
 	[[ ! $length =~ ^[0-9]+$ ]] && die "Error: pass-length \"$length\" must be a number."
-	mkdir -p -v "$PREFIX/$(dirname "$path")"
-	set_gpg_recipients "$(dirname "$path")"
+	mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+	set_gpg_recipients "$(dirname -- "$path")"
 	local passfile="$PREFIX/$path.gpg"
 	set_git "$passfile"