(fwd) [PATCH v2] Unset variables messing with Git use

Wed, 27 Nov 2019 15:43:36 -0800 

Hello,

Wondering if there's anything I can do to further
facilitate acceptance of this patch I sent 3 months ago?

Thank you,
martin
----- Forwarded message from "martin f. krafft" <[email protected]> ----- 

Date: Wed, 14 Aug 2019 10:26:55 +1200
From: "martin f. krafft" <[email protected]>
To: [email protected]
Cc: "martin f. krafft" <[email protected]>
Subject: [PATCH v2] Unset variables messing with Git
        use
Message-Id: <[email protected]>
X-Spam: no (crm114:17.14 SA:-102.1)
X-Justme: from machine in my domain

This patch makes sure that variables from the environment cannot
override e.g. the Git directory to operate on, as well as other critical
parts of Git operations. These variables are:

  - GIT_DIR
  - GIT_WORK_TREE
  - GIT_NAMESPACE
  - GIT_INDEX_FILE
  - GIT_INDEX_VERSION
  - GIT_OBJECT_DIRECTORY
  - GIT_COMMON_DIR

If any of those are set, pass might end up operating on another
repository, and things would break.

I caught this having GIT_DIR set, but fortunately the other repository
had a .gitignore that would have ignored the file:

```
fishbowl~% echo $GIT_DIR
/home/madduck/.config/vcsh/repo.d/zsh.git

fishbowl~% pass generate test
The following paths are ignored by one of your .gitignore files:
.password-store/test.gpg
Use -f if you really want to add them.
The generated password for test is:
…
```

The result was an orphan file `test.gpg` in the password-store root.

Signed-off-by: martin f. krafft <[email protected]>
---
 src/password-store.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/password-store.sh b/src/password-store.sh
index 1d119f2..ddb30f2 100755
--- a/src/password-store.sh
+++ b/src/password-store.sh
@@ -20,6 +20,10 @@ GENERATED_LENGTH="${PASSWORD_STORE_GENERATED_LENGTH:-25}"
 CHARACTER_SET="${PASSWORD_STORE_CHARACTER_SET:-[:punct:][:alnum:]}"
 
CHARACTER_SET_NO_SYMBOLS="${PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS:-[:alnum:]}"

+unset GIT_DIR GIT_WORK_TREE GIT_NAMESPACE \
+  GIT_INDEX_FILE GIT_INDEX_VERSION \
+  GIT_OBJECT_DIRECTORY GIT_COMMON_DIR
+
 export GIT_CEILING_DIRECTORIES="$PREFIX/.."

 #

--
@martinkrafft | https://riot.im/app/#/room/#madduck:madduck.net
"most people become bankrupt through having invested too heavily in 
 the prose of life. to have ruined one's self over poetry is an
 honour."
                                                      -- oscar wilde
spamtraps: [email protected]

Attachment: digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)

_______________________________________________
Password-Store mailing list
[email protected]
https://lists.zx2c4.com/mailman/listinfo/password-store

Reply via email to