[PATCH] show, insert: handle password with empty name

HacKan hackan at gmail.com
Fri Jul 12 17:43:40 CEST 2019


Just a note: instead of `! -z` use `-n`

I agree on that an empty name should be an error and not accepted.

Cheers!

On July 12, 2019 12:24:22 PM GMT-03:00, "Rémi Lapeyre" <remi.lapeyre at henki.fr> wrote:
>Saving a password with an empty name could happen (when doing `pass
>insert "$passname"` for example) and would break `pass show` as it
>would
>show this passworld instead of listing them all. This behavior would
>break some third party integrations like passff.
>
>This changes both `pass insert` to refuse saving such a password and
>fix
>`pass show` to list the passwords since a ".gpg" file could still
>appear
>from a backup or a bad git commit (note that the empty password won't
>show up as its file will be ".gpg" and be hidden).
>---
> src/password-store.sh       | 3 ++-
> tests/t0020-show-tests.sh   | 7 +++++++
> tests/t0100-insert-tests.sh | 5 +++++
> 3 files changed, 14 insertions(+), 1 deletion(-)
>
>diff --git a/src/password-store.sh b/src/password-store.sh
>index b99460c..62b449e 100755
>--- a/src/password-store.sh
>+++ b/src/password-store.sh
>@@ -379,7 +379,7 @@ cmd_show() {
> 	local path="$1"
> 	local passfile="$PREFIX/$path.gpg"
> 	check_sneaky_paths "$path"
>-	if [[ -f $passfile ]]; then
>+	if [[ -f $passfile && ! -z "$path" ]]; then
> 		if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then
> 			pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | $BASE64)" || exit $?
> 			echo "$pass" | $BASE64 -d
>@@ -444,6 +444,7 @@ cmd_insert() {
> 
>	[[ $err -ne 0 || ( $multiline -eq 1 && $noecho -eq 0 ) || $# -ne 1 ]]
>&& die "Usage: $PROGRAM $COMMAND [--echo,-e | --multiline,-m]
>[--force,-f] pass-name"
> 	local path="${1%/}"
>+	[[ -z "$path" ]] && die "Cannot insert a password with an empty
>name."
> 	local passfile="$PREFIX/$path.gpg"
> 	check_sneaky_paths "$path"
> 	set_git "$passfile"
>diff --git a/tests/t0020-show-tests.sh b/tests/t0020-show-tests.sh
>index a4b782f..3acdc39 100755
>--- a/tests/t0020-show-tests.sh
>+++ b/tests/t0020-show-tests.sh
>@@ -15,6 +15,13 @@ test_expect_success 'Test "show" command with
>spaces' '
> 	[[ $("$PASS" show "I am a cred with lots of spaces") == "BLAH!!" ]]
> '
> 
>+test_expect_success 'Test "show" with empty file' '
>+	mv "$PASSWORD_STORE_DIR"{cred1.gpg,.gpg}
>+	"$PASS" show
>+	[[ $("$PASS" show) == "Password Store
>+\`-- I\\ am\\ a\\ cred\\ with\\ lots\\ of\\ spaces" ]]
>+'
>+
> test_expect_success 'Test "show" of nonexistant password' '
> 	test_must_fail "$PASS" show cred2
> '
>diff --git a/tests/t0100-insert-tests.sh b/tests/t0100-insert-tests.sh
>index d8101ab..3bfc482 100755
>--- a/tests/t0100-insert-tests.sh
>+++ b/tests/t0100-insert-tests.sh
>@@ -10,4 +10,9 @@ test_expect_success 'Test "insert" command' '
> 	[[ $("$PASS" show cred1) == "Hello world" ]]
> '
> 
>+test_expect_success 'Test insert empty password' '
>+	echo "Hello world" | "$PASS"  insert -e ""
>+	[[ $? == 1 ]]
>+'
>+
> test_done
>-- 
>2.22.0
>
>_______________________________________________
>Password-Store mailing list
>Password-Store at lists.zx2c4.com
>https://lists.zx2c4.com/mailman/listinfo/password-store

-- 
HacKan || Iván
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20190712/9d710e29/attachment-0001.html>


More information about the Password-Store mailing list