From 7252e8b3cf829e908179913daad16ff2b8bdefdd Mon Sep 17 00:00:00 2001 From: Stacey Sheldon Date: Sun, 23 Jul 2017 15:37:33 -0400 Subject: protect dirname calls from pass-names that look like command-line options With the $path variable being passed directly to dirname, any pass-names provided by the user that happened to look like options to dirname would be processed as options rather than as the path to be split. This results in a real mess when you happen to run one of: pass edit --help pass generate --help pass insert --help then in the cmd_foo() function, you have: mkdir -p -v "$PREFIX/$(dirname --help)" which (due to the -p option to mkdir) results in the creation of an entire directory hierarchy made up of the slash-separated help text from dirname. --- src/password-store.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/password-store.sh b/src/password-store.sh index d77ff12..b86631d 100755 --- a/src/password-store.sh +++ b/src/password-store.sh @@ -430,8 +430,8 @@ cmd_insert() { [[ $force -eq 0 && -e $passfile ]] && yesno "An entry already exists for $path. Overwrite it?" - mkdir -p -v "$PREFIX/$(dirname "$path")" - set_gpg_recipients "$(dirname "$path")" + mkdir -p -v "$PREFIX/$(dirname -- "$path")" + set_gpg_recipients "$(dirname -- "$path")" if [[ $multiline -eq 1 ]]; then echo "Enter contents of $path and press Ctrl+D when finished:" @@ -464,8 +464,8 @@ cmd_edit() { local path="${1%/}" check_sneaky_paths "$path" - mkdir -p -v "$PREFIX/$(dirname "$path")" - set_gpg_recipients "$(dirname "$path")" + mkdir -p -v "$PREFIX/$(dirname -- "$path")" + set_gpg_recipients "$(dirname -- "$path")" local passfile="$PREFIX/$path.gpg" set_git "$passfile" @@ -506,8 +506,8 @@ cmd_generate() { local length="${2:-$GENERATED_LENGTH}" check_sneaky_paths "$path" [[ ! $length =~ ^[0-9]+$ ]] && die "Error: pass-length \"$length\" must be a number." - mkdir -p -v "$PREFIX/$(dirname "$path")" - set_gpg_recipients "$(dirname "$path")" + mkdir -p -v "$PREFIX/$(dirname -- "$path")" + set_gpg_recipients "$(dirname -- "$path")" local passfile="$PREFIX/$path.gpg" set_git "$passfile" -- cgit v1.2.3