From 45ad89b6cddbcb3c112f1c2cdfd4361bc7fdced3 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Sat, 9 Feb 2013 19:54:08 +0100
Subject: Dual-quote arguments passed to su_monkeysphere_user() when possible.

It is a healthy coding practice to keep each argument separate when
executing system calls, i.e. quote each variable separately instead of
relying on whitespace to indicate argument separation.

Quoting shell-inside-shell is tricky to do right, and gets trickier when
the wrapper demands unusually complex quoting.

su_monkeysphere_user() expands arguments using "$*" which (unlike "$@")
collapses all arguments into a single string, and therefore require
"risky" arguments (e.g. ones containing variables that may contain space
or other unusual characters) to be dual-quoted for them to not wreak
havoc at the inside shell.

This patch improves arguments passed to su_monkeysphere_user() by first
single-quoting and then double-quoting arguments containing variables.

NB! Dynamic arguments are only double-quoted ( "$@" ) which looks safe
but effectively is a noop (quoting is lost at wrapper!).
---
 src/share/ma/add_certifier    | 10 +++++-----
 src/share/ma/remove_certifier |  2 +-
 src/share/ma/update_users     |  2 +-
 src/share/mh/add_revoker      | 10 +++++-----
 src/share/mh/publish_key      |  2 +-
 5 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/src/share/ma/add_certifier b/src/share/ma/add_certifier
index d456763..3acfd34 100644
--- a/src/share/ma/add_certifier
+++ b/src/share/ma/add_certifier
@@ -101,7 +101,7 @@ if [ -f "$keyID" -o "$keyID" = '-' ] ; then
     # check the key is ok as monkeysphere user before loading
     log debug "checking keys in file..."
     fingerprint=$(su_monkeysphere_user \
-	. "${SYSSHAREDIR}/list_primary_fingerprints" < "$keyID")
+	. "'${SYSSHAREDIR}/list_primary_fingerprints'" < "$keyID")
 
     if [ $(printf "%s" "$fingerprint" | egrep -c '^[A-F0-9]{40}$') -ne 1 ] ; then
 	failure "There was not exactly one gpg key in the file."
@@ -114,12 +114,12 @@ if [ -f "$keyID" -o "$keyID" = '-' ] ; then
 # else, get the key from the keyserver
 else
     log verbose "searching keyserver $KEYSERVER for keyID $keyID..."
-    gpg_sphere --keyserver "$KEYSERVER" --recv-key "0x${keyID}!" \
+    gpg_sphere --keyserver "'$KEYSERVER'" --recv-key "'0x${keyID}!'" \
 	|| failure "Could not receive a key with this ID from the '$KEYSERVER' keyserver."
 
     # get the full fingerprint of new certifier key
     log debug "getting fingerprint of certifier key..."
-    fingerprint=$(gpg_sphere --list-key --with-colons --with-fingerprint "0x${keyID}!" \
+    fingerprint=$(gpg_sphere --list-key --with-colons --with-fingerprint "'0x${keyID}!'" \
 	| grep '^fpr:' | cut -d: -f10)
 
     # test that there is only a single fingerprint
@@ -133,7 +133,7 @@ EOF
     fi
 
     log info "key found:"
-    gpg_sphere --fingerprint "0x${fingerprint}!"
+    gpg_sphere --fingerprint "'0x${fingerprint}!'"
 
     if [ "$PROMPT" != "false" ] ; then
 	printf "Are you sure you want to add the above key as a certifier\nof users on this system? (Y/n) " >&2
@@ -149,7 +149,7 @@ fi
 # export the key to the core keyring so that the core can sign the
 # new certifier key
 log debug "loading key into core keyring..."
-gpg_sphere --export "0x${fingerprint}!" | gpg_core --import
+gpg_sphere --export "'0x${fingerprint}!'" | gpg_core --import
 
 # edit-key script to ltsign key
 # NOTE: *all* user IDs will be ltsigned
diff --git a/src/share/ma/remove_certifier b/src/share/ma/remove_certifier
index 9f5be25..6ec9a2d 100644
--- a/src/share/ma/remove_certifier
+++ b/src/share/ma/remove_certifier
@@ -37,7 +37,7 @@ else
 fi
 
 # delete the requested key from the sphere keyring
-if gpg_sphere --delete-key --batch --yes "0x${keyID}!" ; then
+if gpg_sphere --delete-key --batch --yes "'0x${keyID}!'" ; then
     # delete key from core keyring as well
     gpg_core --delete-key --batch --yes "0x${keyID}!"
 
diff --git a/src/share/ma/update_users b/src/share/ma/update_users
index 991c302..09ca9cb 100644
--- a/src/share/ma/update_users
+++ b/src/share/ma/update_users
@@ -79,7 +79,7 @@ for uname in $unames ; do
 
 	    # process authorized_user_ids file, as monkeysphere user
 	    su_monkeysphere_user \
-		. "${SYSSHAREDIR}/process_authorized_user_ids" "'$STRICT_MODES'" - \
+		. "'${SYSSHAREDIR}/process_authorized_user_ids'" "'$STRICT_MODES'" - \
 		< "$authorizedUserIDs" \
 		> "$tmpAuthorizedKeys"
 
diff --git a/src/share/mh/add_revoker b/src/share/mh/add_revoker
index 4647372..bfc7a04 100644
--- a/src/share/mh/add_revoker
+++ b/src/share/mh/add_revoker
@@ -52,7 +52,7 @@ if [ -f "$revokerKeyID" -o "$revokerKeyID" = '-' ] ; then
     # check the key is ok as monkeysphere user before loading
     log debug "checking keys in file..."
     fingerprint=$(su_monkeysphere_user \
-	. "${SYSSHAREDIR}/list_primary_fingerprints" < "$revokerKeyID")
+	. "'${SYSSHAREDIR}/list_primary_fingerprints'" < "$revokerKeyID")
 
     if [ $(printf "%s" "$fingerprint" | egrep -c '^[A-F0-9]{40}$') -ne 1 ] ; then
 	failure "There was not exactly one gpg key in the file."
@@ -71,12 +71,12 @@ else
 
     # download the key from the keyserver as the monkeysphere user
     log verbose "searching keyserver $KEYSERVER for revoker keyID $revokerKeyID..."
-    su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --quiet --keyserver "$KEYSERVER" --recv-key "0x${revokerKeyID}!" \
+    su_monkeysphere_user "'GNUPGHOME=$tmpDir'" gpg --quiet --keyserver "'$KEYSERVER'" --recv-key "'0x${revokerKeyID}!'" \
 	|| failure "Could not receive a key with this ID from keyserver '$KEYSERVER'."
 
     # get the full fingerprint of new revoker key
     log debug "getting fingerprint of revoker key..."
-    fingerprint=$(su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --list-key --with-colons --with-fingerprint "${revokerKeyID}" \
+    fingerprint=$(su_monkeysphere_user "'GNUPGHOME=$tmpDir'" gpg --list-key --with-colons --with-fingerprint "'${revokerKeyID}'" \
 	| grep '^fpr:' | cut -d: -f10)
 
     # test that there is only a single fingerprint
@@ -90,7 +90,7 @@ EOF
     fi
 
     log info "revoker key found:"
-    su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --fingerprint "0x${fingerprint}!"
+    su_monkeysphere_user "'GNUPGHOME=$tmpDir'" gpg --fingerprint "'0x${fingerprint}!'"
 
     if [ "$PROMPT" = "true" ] ; then
 	printf "Are you sure you want to add the above key as a revoker\nof the key '$keyID'? (Y/n) " >&2
@@ -104,7 +104,7 @@ EOF
 
     # export the new key to the host keyring
     log debug "loading revoker key into host keyring..."
-    su_monkeysphere_user "GNUPGHOME=$tmpDir" gpg --quiet --export "0x${fingerprint}!" \
+    su_monkeysphere_user "'GNUPGHOME=$tmpDir'" gpg --quiet --export "'0x${fingerprint}!'" \
 	| gpg_host --import
 fi
 
diff --git a/src/share/mh/publish_key b/src/share/mh/publish_key
index 9c41bc2..9fb2e72 100644
--- a/src/share/mh/publish_key
+++ b/src/share/mh/publish_key
@@ -53,7 +53,7 @@ done
 # publish key
 log debug "publishing key with the following gpg command line and options:"
 su_monkeysphere_user \
-    gpg --keyserver "$KEYSERVER" ${ANCHORFILE:+--keyserver-options "ca-cert-file=$ANCHORFILE"} --send-keys "0x${keyID}!"
+    gpg --keyserver "'$KEYSERVER'" ${ANCHORFILE:+--keyserver-options "'ca-cert-file=$ANCHORFILE'"} --send-keys "'0x${keyID}!'"
 
 # remove the tmp file
 trap - EXIT
-- 
cgit v1.2.3