[PATCH] protect dirname calls from pass-names that look like command-line options

Sun, 23 Jul 2017 12:39:06 -0700 

With the $path variable being passed directly to dirname, any pass-names
provided by the user that happened to look like options to dirname would
be processed as options rather than as the path to be split.

This results in a real mess when you happen to run one of:

  pass edit --help
  pass generate --help
  pass insert --help

then in the cmd_foo() function, you have:

   mkdir -p -v "$PREFIX/$(dirname --help)"

which (due to the -p option to mkdir) results in the creation of an
entire directory hierarchy made up of the slash-separated help text from
dirname.
---
 src/password-store.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/password-store.sh b/src/password-store.sh
index d77ff12..b86631d 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -430,8 +430,8 @@ cmd_insert() {
 
        [[ $force -eq 0 && -e $passfile ]] && yesno "An entry already exists 
for $path. Overwrite it?"
 
-       mkdir -p -v "$PREFIX/$(dirname "$path")"
-       set_gpg_recipients "$(dirname "$path")"
+       mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+       set_gpg_recipients "$(dirname -- "$path")"
 
        if [[ $multiline -eq 1 ]]; then
                echo "Enter contents of $path and press Ctrl+D when finished:"
@@ -464,8 +464,8 @@ cmd_edit() {
 
        local path="${1%/}"
        check_sneaky_paths "$path"
-       mkdir -p -v "$PREFIX/$(dirname "$path")"
-       set_gpg_recipients "$(dirname "$path")"
+       mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+       set_gpg_recipients "$(dirname -- "$path")"
        local passfile="$PREFIX/$path.gpg"
        set_git "$passfile"
 
@@ -506,8 +506,8 @@ cmd_generate() {
        local length="${2:-$GENERATED_LENGTH}"
        check_sneaky_paths "$path"
        [[ ! $length =~ ^[0-9]+$ ]] && die "Error: pass-length \"$length\" must 
be a number."
-       mkdir -p -v "$PREFIX/$(dirname "$path")"
-       set_gpg_recipients "$(dirname "$path")"
+       mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+       set_gpg_recipients "$(dirname -- "$path")"
        local passfile="$PREFIX/$path.gpg"
        set_git "$passfile"
 
-- 
2.11.0

_______________________________________________
Password-Store mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/password-store

Reply via email to