diff options
author | Stacey Sheldon <stac@solidgoldbomb.org> | 2017-07-23 15:37:33 -0400 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-10-13 20:21:40 +0200 |
commit | 7252e8b3cf829e908179913daad16ff2b8bdefdd (patch) | |
tree | bfc323e70496d7728971e728e8e306340f5196e4 /src | |
parent | c1b3ff04425844ed88fac2a634232bdb8e2662bc (diff) |
protect dirname calls from pass-names that look like command-line options
With the $path variable being passed directly to dirname, any pass-names
provided by the user that happened to look like options to dirname would
be processed as options rather than as the path to be split.
This results in a real mess when you happen to run one of:
pass edit --help
pass generate --help
pass insert --help
then in the cmd_foo() function, you have:
mkdir -p -v "$PREFIX/$(dirname --help)"
which (due to the -p option to mkdir) results in the creation of an
entire directory hierarchy made up of the slash-separated help text from
dirname.
Diffstat (limited to 'src')
-rwxr-xr-x | src/password-store.sh | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/password-store.sh b/src/password-store.sh index d77ff12..b86631d 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -430,8 +430,8 @@ cmd_insert() { [[ $force -eq 0 && -e $passfile ]] && yesno "An entry already exists for $path. Overwrite it?" - mkdir -p -v "$PREFIX/$(dirname "$path")" - set_gpg_recipients "$(dirname "$path")" + mkdir -p -v "$PREFIX/$(dirname -- "$path")" + set_gpg_recipients "$(dirname -- "$path")" if [[ $multiline -eq 1 ]]; then echo "Enter contents of $path and press Ctrl+D when finished:" @@ -464,8 +464,8 @@ cmd_edit() { local path="${1%/}" check_sneaky_paths "$path" - mkdir -p -v "$PREFIX/$(dirname "$path")" - set_gpg_recipients "$(dirname "$path")" + mkdir -p -v "$PREFIX/$(dirname -- "$path")" + set_gpg_recipients "$(dirname -- "$path")" local passfile="$PREFIX/$path.gpg" set_git "$passfile" @@ -506,8 +506,8 @@ cmd_generate() { local length="${2:-$GENERATED_LENGTH}" check_sneaky_paths "$path" [[ ! $length =~ ^[0-9]+$ ]] && die "Error: pass-length \"$length\" must be a number." - mkdir -p -v "$PREFIX/$(dirname "$path")" - set_gpg_recipients "$(dirname "$path")" + mkdir -p -v "$PREFIX/$(dirname -- "$path")" + set_gpg_recipients "$(dirname -- "$path")" local passfile="$PREFIX/$path.gpg" set_git "$passfile" |