[PATCH] protect dirname calls from pass-names that look like command-line options

Stacey Sheldon stac at solidgoldbomb.org
Sun Jul 23 21:37:33 CEST 2017 

With the $path variable being passed directly to dirname, any pass-names
provided by the user that happened to look like options to dirname would
be processed as options rather than as the path to be split.

This results in a real mess when you happen to run one of:

  pass edit --help
  pass generate --help
  pass insert --help

then in the cmd_foo() function, you have:

   mkdir -p -v "$PREFIX/$(dirname --help)"

which (due to the -p option to mkdir) results in the creation of an
entire directory hierarchy made up of the slash-separated help text from
dirname.
---
 src/password-store.sh | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/password-store.sh b/src/password-store.sh
index d77ff12..b86631d 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -430,8 +430,8 @@ cmd_insert() {
 
 	[[ $force -eq 0 && -e $passfile ]] && yesno "An entry already exists for $path. Overwrite it?"
 
-	mkdir -p -v "$PREFIX/$(dirname "$path")"
-	set_gpg_recipients "$(dirname "$path")"
+	mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+	set_gpg_recipients "$(dirname -- "$path")"
 
 	if [[ $multiline -eq 1 ]]; then
 		echo "Enter contents of $path and press Ctrl+D when finished:"
@@ -464,8 +464,8 @@ cmd_edit() {
 
 	local path="${1%/}"
 	check_sneaky_paths "$path"
-	mkdir -p -v "$PREFIX/$(dirname "$path")"
-	set_gpg_recipients "$(dirname "$path")"
+	mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+	set_gpg_recipients "$(dirname -- "$path")"
 	local passfile="$PREFIX/$path.gpg"
 	set_git "$passfile"
 
@@ -506,8 +506,8 @@ cmd_generate() {
 	local length="${2:-$GENERATED_LENGTH}"
 	check_sneaky_paths "$path"
 	[[ ! $length =~ ^[0-9]+$ ]] && die "Error: pass-length \"$length\" must be a number."
-	mkdir -p -v "$PREFIX/$(dirname "$path")"
-	set_gpg_recipients "$(dirname "$path")"
+	mkdir -p -v "$PREFIX/$(dirname -- "$path")"
+	set_gpg_recipients "$(dirname -- "$path")"
 	local passfile="$PREFIX/$path.gpg"
 	set_git "$passfile"
 
-- 
2.11.0

More information about the Password-Store mailing list