(fwd) [PATCH v2] Unset variables messing with Git use

martin f. krafft madduck at madduck.net
Thu Nov 28 00:34:31 CET 2019


Hello,

Wondering if there's anything I can do to further
facilitate acceptance of this patch I sent 3 months ago?

Thank you,
martin

----- Forwarded message from "martin f. krafft" 
<madduck at madduck.net> -----

Date: Wed, 14 Aug 2019 10:26:55 +1200
From: "martin f. krafft" <madduck at madduck.net>
To: password-store at lists.zx2c4.com
Cc: "martin f. krafft" <madduck at madduck.net>
Subject: [PATCH v2] Unset variables messing with Git
	use
Message-Id: <20190813222655.3524-1-madduck at madduck.net>
X-Spam: no (crm114:17.14 SA:-102.1)
X-Justme: from machine in my domain

This patch makes sure that variables from the environment cannot
override e.g. the Git directory to operate on, as well as other critical
parts of Git operations. These variables are:

   - GIT_DIR
   - GIT_WORK_TREE
   - GIT_NAMESPACE
   - GIT_INDEX_FILE
   - GIT_INDEX_VERSION
   - GIT_OBJECT_DIRECTORY
   - GIT_COMMON_DIR

If any of those are set, pass might end up operating on another
repository, and things would break.

I caught this having GIT_DIR set, but fortunately the other repository
had a .gitignore that would have ignored the file:

```
fishbowl~% echo $GIT_DIR
/home/madduck/.config/vcsh/repo.d/zsh.git

fishbowl~% pass generate test
The following paths are ignored by one of your .gitignore files:
.password-store/test.gpg
Use -f if you really want to add them.
The generated password for test is:
…
```

The result was an orphan file `test.gpg` in the password-store root.

Signed-off-by: martin f. krafft <madduck at madduck.net>
---
  src/password-store.sh | 4 ++++
  1 file changed, 4 insertions(+)

diff --git a/src/password-store.sh b/src/password-store.sh
index 1d119f2..ddb30f2 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -20,6 +20,10 @@ GENERATED_LENGTH="${PASSWORD_STORE_GENERATED_LENGTH:-25}"
  CHARACTER_SET="${PASSWORD_STORE_CHARACTER_SET:-[:punct:][:alnum:]}"
  CHARACTER_SET_NO_SYMBOLS="${PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS:-[:alnum:]}"

+unset GIT_DIR GIT_WORK_TREE GIT_NAMESPACE \
+  GIT_INDEX_FILE GIT_INDEX_VERSION \
+  GIT_OBJECT_DIRECTORY GIT_COMMON_DIR
+
  export GIT_CEILING_DIRECTORIES="$PREFIX/.."

  #

-- 
@martinkrafft | https://riot.im/app/#/room/#madduck:madduck.net
  
"most people become bankrupt through having invested too heavily in
  the prose of life. to have ruined one's self over poetry is an
  honour."
                                                       -- oscar wilde
  
spamtraps: madduck.bogus at madduck.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20191128/cd9ba3b6/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: digital_signature_gpg.asc
Type: application/pgp-signature
Size: 1187 bytes
Desc: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20191128/cd9ba3b6/attachment.asc>


More information about the Password-Store mailing list