Check sneaky paths.

author: Jason A. Donenfeld <Jason@zx2c4.com> 2014-04-18 13:22:39 +0200
committer: Jason A. Donenfeld <Jason@zx2c4.com> 2014-04-18 13:22:39 +0200
commit: 1edc1a7ecc74798484b690db0f88b9ac30120162 (patch)
tree: 4d5e4482a22e1df0f83fdef386903e6231786953
parent: 8066a2b222a31cf5ac217de5e26a267a2100940e (diff)
download: pass-1edc1a7ecc74798484b690db0f88b9ac30120162.tar.gz
pass-1edc1a7ecc74798484b690db0f88b9ac30120162.tar.bz2
pass-1edc1a7ecc74798484b690db0f88b9ac30120162.zip
1 files changed, 15 insertions, 0 deletions
diff --git a/src/password-store.sh b/src/password-store.sh
index f80f026..4874175 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -114,6 +114,14 @@ reencrypt_path() {
 		prev_gpg_recipients="${GPG_RECIPIENTS[@]}"
 	done
 }
+check_sneaky_paths() {
+	for path in "$@"; do
+		if [[ $path =~ /\.\.$ || $path =~ ^\.\./ || $path =~ /\.\./ || $path =~ ^\.\.$ ]]; then
+			echo "Error: You've attempted to pass a sneaky path to pass. Go home."
+			exit 1
+		fi
+	done
+}
 
 #
 # END helper functions
@@ -256,6 +264,7 @@ cmd_init() {
 		echo "Usage: $PROGRAM $COMMAND [--path=subfolder,-p subfolder] gpg-id..."
 		exit 1
 	fi
+	[[ -n $id_path ]] && check_sneaky_paths "$id_path"
 	if [[ -n $id_path && ! -d $PREFIX/$id_path ]]; then
 		if [[ -e $PREFIX/$id_path ]]; then
 			echo "Error: $PREFIX/$id_path exists but is not a directory."
@@ -309,6 +318,7 @@ cmd_show() {
 
 	local path="$1"
 	local passfile="$PREFIX/$path.gpg"
+	check_sneaky_paths "$path"
 	if [[ -f $passfile ]]; then
 		if [[ $clip -eq 0 ]]; then
 			exec $GPG -d $GPG_OPTS "$passfile"
@@ -396,6 +406,7 @@ cmd_insert() {
 	fi
 	local path="$1"
 	local passfile="$PREFIX/$path.gpg"
+	check_sneaky_paths "$path"
 
 	[[ $force -eq 0 && -e $passfile ]] && yesno "An entry already exists for $path. Overwrite it?"
 
@@ -436,6 +447,7 @@ cmd_edit() {
 	fi
 
 	local path="$1"
+	check_sneaky_paths "$path"
 	mkdir -p -v "$PREFIX/$(dirname "$path")"
 	set_gpg_recipients "$(dirname "$path")"
 	local passfile="$PREFIX/$path.gpg"
@@ -481,6 +493,7 @@ cmd_generate() {
 	fi
 	local path="$1"
 	local length="$2"
+	check_sneaky_paths "$path"
 	if [[ ! $length =~ ^[0-9]+$ ]]; then
 		echo "pass-length \"$length\" must be a number."
 		exit 1
@@ -522,6 +535,7 @@ cmd_delete() {
 		exit 1
 	fi
 	local path="$1"
+	check_sneaky_paths "$path"
 
 	local passfile="$PREFIX/${path%/}"
 	if [[ ! -d $passfile ]]; then
@@ -560,6 +574,7 @@ cmd_copy_move() {
 		echo "Usage: $PROGRAM $COMMAND [--force,-f] old-path new-path"
 		exit 1
 	fi
+	check_sneaky_paths "$@"
 	local old_path="$PREFIX/${1%/}"
 	local new_path="$PREFIX/$2"
 	local old_dir="$old_path"
author	Jason A. Donenfeld <Jason@zx2c4.com>	2014-04-18 13:22:39 +0200
committer	Jason A. Donenfeld <Jason@zx2c4.com>	2014-04-18 13:22:39 +0200
commit	1edc1a7ecc74798484b690db0f88b9ac30120162 (patch)
tree	4d5e4482a22e1df0f83fdef386903e6231786953
parent	8066a2b222a31cf5ac217de5e26a267a2100940e (diff)
download	pass-1edc1a7ecc74798484b690db0f88b9ac30120162.tar.gz pass-1edc1a7ecc74798484b690db0f88b9ac30120162.tar.bz2 pass-1edc1a7ecc74798484b690db0f88b9ac30120162.zip