Skip to content

Comments

Fixes #21: tokens passed via file#22

Open
mgoellnitz wants to merge 1 commit intofabianonline:masterfrom
mgoellnitz:secret_token_leak_21
Open

Fixes #21: tokens passed via file#22
mgoellnitz wants to merge 1 commit intofabianonline:masterfrom
mgoellnitz:secret_token_leak_21

Conversation

@mgoellnitz
Copy link
Contributor

No description provided.

@mgoellnitz mgoellnitz force-pushed the secret_token_leak_21 branch from a196e12 to 67e22e7 Compare July 1, 2025 20:47
_curl() {
curl -s -H "$AUTHORIZATION" -H "User-Agent: matrix.sh/$VERSION" "$@"
HEADERFILE="$HOME/.matrix.sh-headers"
if [ -z "$(grep "$AUTHORIZATION" $HEADERFILE)" ] ; then
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please quote all variables that don't need word splitting. (I know it's unlikely that $HOME has whitespace in it, but it's better to be safe than sorry.)

curl -s -H "$AUTHORIZATION" -H "User-Agent: matrix.sh/$VERSION" "$@"
HEADERFILE="$HOME/.matrix.sh-headers"
if [ -z "$(grep "$AUTHORIZATION" $HEADERFILE)" ] ; then
echo "User-Agent: matrix.sh/$VERSION" > $HEADERFILE
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would do (umask 0077; echo data > file) instead of separate chmod, to avoid ever having the secret in a world writable file.


_curl() {
curl -s -H "$AUTHORIZATION" -H "User-Agent: matrix.sh/$VERSION" "$@"
HEADERFILE="$HOME/.matrix.sh-headers"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd consider using $XDG_CACHE_HOME here, to avoid so many dotfiles in $HOME:

HEADERFILE=${XDG_CACHE_HOME:-"$HOME"/.cache}/matrix.sh/headers
mkdir -p "$(dirname "$HEADERFILE")"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants