From 86fe5ae352d48a13368f5fb92be0a7b3bc0a4652 Mon Sep 17 00:00:00 2001 From: "tlimoncelli@stackexchange.com" Date: Tue, 10 Feb 2015 18:54:47 -0500 Subject: [PATCH] More securely quote $BB_FILES --- bin/blackbox_register_new_file | 4 +++- bin/blackbox_shred_all_files | 2 +- bin/blackbox_update_all_files | 6 +++--- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/bin/blackbox_register_new_file b/bin/blackbox_register_new_file index 93e8c1b..8b91199 100755 --- a/bin/blackbox_register_new_file +++ b/bin/blackbox_register_new_file @@ -46,6 +46,8 @@ if $SECRETSEXPOSED ; then COMMIT_FILES="$BB_FILES $encrypted_file $unencrypted_file" else COMMIT_FILES="$BB_FILES $encrypted_file" + # FIXME(tal): This should be an array so that filenames with + # spaces aren't a problem. fi # TODO(tlim): This should be moved to _blackbox_common.sh in a @@ -61,7 +63,7 @@ if [[ $VCS_TYPE = 'git' ]]; then fi echo 'NOTE: "already tracked!" messages are safe to ignore.' -vcs_add $BB_FILES $encrypted_file +vcs_add "$BB_FILES" $encrypted_file vcs_commit "registered in blackbox: ${unencrypted_file}" $COMMIT_FILES echo "========== UPDATING VCS: DONE" echo "Local repo updated. Please push when ready." diff --git a/bin/blackbox_shred_all_files b/bin/blackbox_shred_all_files index 267603e..b753089 100755 --- a/bin/blackbox_shred_all_files +++ b/bin/blackbox_shred_all_files @@ -22,7 +22,7 @@ source ${blackbox_home}/_blackbox_common.sh change_to_root echo '========== FILES BEING SHREDDED:' -for i in $(<$BB_FILES) ; do +for i in $(<"$BB_FILES") ; do unencrypted_file=$(get_unencrypted_filename "$i") encrypted_file=$(get_encrypted_filename "$i") if [[ -f "$unencrypted_file" ]]; then diff --git a/bin/blackbox_update_all_files b/bin/blackbox_update_all_files index 14184ef..4394f18 100755 --- a/bin/blackbox_update_all_files +++ b/bin/blackbox_update_all_files @@ -23,7 +23,7 @@ awk <"$BB_FILES" '{ print " " $1 ".gpg" }' echo '========== FILES IN THE WAY:' need_warning=false -for i in $(<$BB_FILES) ; do +for i in $(<"$BB_FILES") ; do unencrypted_file=$(get_unencrypted_filename "$i") encrypted_file=$(get_encrypted_filename "$i") if [[ -f "$unencrypted_file" ]]; then @@ -40,7 +40,7 @@ else fi echo '========== RE-ENCRYPTING FILES:' -for i in $(<$BB_FILES) ; do +for i in $(<"$BB_FILES") ; do unencrypted_file=$(get_unencrypted_filename "$i") encrypted_file=$(get_encrypted_filename "$i") echo ========== PROCESSING "$unencrypted_file" @@ -53,7 +53,7 @@ done fail_if_keychain_has_secrets echo '========== COMMITING TO VCS:' -vcs_commit 'Re-encrypted keys' $(awk <$BB_FILES '{ print $1 ".gpg" }' ) +vcs_commit 'Re-encrypted keys' $(awk <"$BB_FILES" '{ print $1 ".gpg" }' ) VCSCMD=$(which_vcs) echo '========== DONE.'