[pass] copying usernames and urls

René Neumann lists at necoro.eu
Tue Apr 29 17:08:58 CEST 2014


Am 29.04.2014 16:57, schrieb Alfredo Pironti:
> 
> Letting software run on unexpected data (the case where the user invokes
> the additional command on unformatted data) can have bad consequences.
> Sure one can try to implement conservative checks to gracefully fail, but
> they increase
> complexity and sometimes one just misses such checks. Since this is
> software running on sensitive data, taking the conservative approach
> (of not parsing user data at all) seems safer, although functionality may
> be hindered a bit.

Just to see, if I understand your point: If pass itself does not enforce
a format per se, but offers some subcommand that expect a certain
format, things may go wrong. So for the fields example, there may be
someone, who (by chance) has a password that starts with 'User:' which
now gets output though it should not.

If this is your point, doesn't the problem exist anyway? It can happen
the same, even if the command is not part of pass but external (or a
shell pipeline ...). The only reasonable thing here would be to have
educated users who 'know what they are doing' (i.e. for the example
above see the problem and change the pwd accordingly).

- René




More information about the Password-Store mailing list