[PATCH] show, insert: handle password with empty name
HacKan
hackan at gmail.com
Fri Jul 12 17:43:40 CEST 2019
Just a note: instead of `! -z` use `-n`
I agree on that an empty name should be an error and not accepted.
Cheers!
On July 12, 2019 12:24:22 PM GMT-03:00, "Rémi Lapeyre" <remi.lapeyre at henki.fr> wrote:
>Saving a password with an empty name could happen (when doing `pass
>insert "$passname"` for example) and would break `pass show` as it
>would
>show this passworld instead of listing them all. This behavior would
>break some third party integrations like passff.
>
>This changes both `pass insert` to refuse saving such a password and
>fix
>`pass show` to list the passwords since a ".gpg" file could still
>appear
>from a backup or a bad git commit (note that the empty password won't
>show up as its file will be ".gpg" and be hidden).
>---
> src/password-store.sh | 3 ++-
> tests/t0020-show-tests.sh | 7 +++++++
> tests/t0100-insert-tests.sh | 5 +++++
> 3 files changed, 14 insertions(+), 1 deletion(-)
>
>diff --git a/src/password-store.sh b/src/password-store.sh
>index b99460c..62b449e 100755
>--- a/src/password-store.sh
>+++ b/src/password-store.sh
>@@ -379,7 +379,7 @@ cmd_show() {
> local path="$1"
> local passfile="$PREFIX/$path.gpg"
> check_sneaky_paths "$path"
>- if [[ -f $passfile ]]; then
>+ if [[ -f $passfile && ! -z "$path" ]]; then
> if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then
> pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | $BASE64)" || exit $?
> echo "$pass" | $BASE64 -d
>@@ -444,6 +444,7 @@ cmd_insert() {
>
> [[ $err -ne 0 || ( $multiline -eq 1 && $noecho -eq 0 ) || $# -ne 1 ]]
>&& die "Usage: $PROGRAM $COMMAND [--echo,-e | --multiline,-m]
>[--force,-f] pass-name"
> local path="${1%/}"
>+ [[ -z "$path" ]] && die "Cannot insert a password with an empty
>name."
> local passfile="$PREFIX/$path.gpg"
> check_sneaky_paths "$path"
> set_git "$passfile"
>diff --git a/tests/t0020-show-tests.sh b/tests/t0020-show-tests.sh
>index a4b782f..3acdc39 100755
>--- a/tests/t0020-show-tests.sh
>+++ b/tests/t0020-show-tests.sh
>@@ -15,6 +15,13 @@ test_expect_success 'Test "show" command with
>spaces' '
> [[ $("$PASS" show "I am a cred with lots of spaces") == "BLAH!!" ]]
> '
>
>+test_expect_success 'Test "show" with empty file' '
>+ mv "$PASSWORD_STORE_DIR"{cred1.gpg,.gpg}
>+ "$PASS" show
>+ [[ $("$PASS" show) == "Password Store
>+\`-- I\\ am\\ a\\ cred\\ with\\ lots\\ of\\ spaces" ]]
>+'
>+
> test_expect_success 'Test "show" of nonexistant password' '
> test_must_fail "$PASS" show cred2
> '
>diff --git a/tests/t0100-insert-tests.sh b/tests/t0100-insert-tests.sh
>index d8101ab..3bfc482 100755
>--- a/tests/t0100-insert-tests.sh
>+++ b/tests/t0100-insert-tests.sh
>@@ -10,4 +10,9 @@ test_expect_success 'Test "insert" command' '
> [[ $("$PASS" show cred1) == "Hello world" ]]
> '
>
>+test_expect_success 'Test insert empty password' '
>+ echo "Hello world" | "$PASS" insert -e ""
>+ [[ $? == 1 ]]
>+'
>+
> test_done
>--
>2.22.0
>
>_______________________________________________
>Password-Store mailing list
>Password-Store at lists.zx2c4.com
>https://lists.zx2c4.com/mailman/listinfo/password-store
--
HacKan || Iván
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20190712/9d710e29/attachment-0001.html>
More information about the Password-Store
mailing list