On Thu, Apr 14, 2022 at 01:26:47PM +0200, Daniel Mach wrote:
> SaltStack strips leading/trailing whitespaces from the password [1],
> because pass adds a newline when entering passwords interactively.
SaltStack is removing too much. They should use the equivalent of
pass_show_output.removesuffix("\n").
>
> Pass is capable of storing multiline passwords which are stored as
> provided. That includes storing binary data as well. If such password
> has leading/traling whitespaces, they get stripped in SaltStack
> and the password becomes invalid.
>
> This change fixes the inconsistency by always storing the passwords
> as provided, with no extra characters added.
>
> To retain good user experience, a newline is printed to stderr after
> printing a password.
>
> [1]
> https://github.com/saltstack/salt/commit/2584df93e074155062bd934f23bb244613e20dd3
> ---
> src/password-store.sh | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/src/password-store.sh b/src/password-store.sh
> index 22e818f..48b3a79 100755
> --- a/src/password-store.sh
> +++ b/src/password-store.sh
> @@ -385,7 +385,8 @@ cmd_show() {
> if [[ -f $passfile ]]; then
> if [[ $clip -eq 0 && $qrcode -eq 0 ]]; then
> pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" |
> $BASE64)" || exit $?
> - echo "$pass" | $BASE64 -d
> + echo -n "$pass" | $BASE64 -d
> + echo >&2
> else
> [[ $selected_line =~ ^[0-9]+$ ]] || die "Clip location
> '$selected_line' is not a number."
> pass="$($GPG -d "${GPG_OPTS[@]}" "$passfile" | tail -n
> +${selected_line} | head -n 1)" || exit $?
> @@ -468,7 +469,7 @@ cmd_insert() {
> read -r -p "Retype password for $path: " -s
> password_again || exit 1
> echo
> if [[ $password == "$password_again" ]]; then
> - echo "$password" | $GPG -e
> "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password
> encryption aborted."
> + echo -n "$password" | $GPG -e
> "${GPG_RECIPIENT_ARGS[@]}" -o "$passfile" "${GPG_OPTS[@]}" || die "Password
> encryption aborted."
> break
> else
> die "Error: the entered passwords do not match."
> @@ -477,7 +478,7 @@ cmd_insert() {
> else
> local password
> read -r -p "Enter password for $path: " -e password
> - echo "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o
> "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
> + echo -n "$password" | $GPG -e "${GPG_RECIPIENT_ARGS[@]}" -o
> "$passfile" "${GPG_OPTS[@]}" || die "Password encryption aborted."
> fi
> git_add_file "$passfile" "Add given password for $path to store."
> }
> --
> 2.35.1
>
