m-chrzan.xyz
aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStacey Sheldon <stac@solidgoldbomb.org>2017-07-23 15:37:33 -0400
committerJason A. Donenfeld <Jason@zx2c4.com>2017-10-13 20:21:40 +0200
commit7252e8b3cf829e908179913daad16ff2b8bdefdd (patch)
treebfc323e70496d7728971e728e8e306340f5196e4
parentc1b3ff04425844ed88fac2a634232bdb8e2662bc (diff)
protect dirname calls from pass-names that look like command-line options
With the $path variable being passed directly to dirname, any pass-names provided by the user that happened to look like options to dirname would be processed as options rather than as the path to be split. This results in a real mess when you happen to run one of: pass edit --help pass generate --help pass insert --help then in the cmd_foo() function, you have: mkdir -p -v "$PREFIX/$(dirname --help)" which (due to the -p option to mkdir) results in the creation of an entire directory hierarchy made up of the slash-separated help text from dirname.
-rwxr-xr-xsrc/password-store.sh12
1 files changed, 6 insertions, 6 deletions
diff --git a/src/password-store.sh b/src/password-store.sh
index d77ff12..b86631d 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -430,8 +430,8 @@ cmd_insert() {
[[ $force -eq 0 && -e $passfile ]] && yesno "An entry already exists for $path. Overwrite it?"
- mkdir -p -v "$PREFIX/$(dirname "$path")"
- set_gpg_recipients "$(dirname "$path")"
+ mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+ set_gpg_recipients "$(dirname -- "$path")"
if [[ $multiline -eq 1 ]]; then
echo "Enter contents of $path and press Ctrl+D when finished:"
@@ -464,8 +464,8 @@ cmd_edit() {
local path="${1%/}"
check_sneaky_paths "$path"
- mkdir -p -v "$PREFIX/$(dirname "$path")"
- set_gpg_recipients "$(dirname "$path")"
+ mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+ set_gpg_recipients "$(dirname -- "$path")"
local passfile="$PREFIX/$path.gpg"
set_git "$passfile"
@@ -506,8 +506,8 @@ cmd_generate() {
local length="${2:-$GENERATED_LENGTH}"
check_sneaky_paths "$path"
[[ ! $length =~ ^[0-9]+$ ]] && die "Error: pass-length \"$length\" must be a number."
- mkdir -p -v "$PREFIX/$(dirname "$path")"
- set_gpg_recipients "$(dirname "$path")"
+ mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+ set_gpg_recipients "$(dirname -- "$path")"
local passfile="$PREFIX/$path.gpg"
set_git "$passfile"