#2178 PR merged: More fail safe BACKUP_PROG_CRYPT_KEY handling (issue 2157)

Labels: enhancement, bug, documentation, fixed / solved / done

jsmeix opened issue at 2019-07-08 12:41:

  • Type: Bug Fix Enhancement

  • Impact: Normal

  • Reference to related issue (URL):
    https://github.com/rear/rear/issues/2157

  • How was this pull request tested?
    Not yet tested at all by me - I will do that later...

  • Brief description of the changes in this pull request:

Make the code that deals with BACKUP_PROG_CRYPT_KEY more fail safe:

  1. Use double quotes "$BACKUP_PROG_CRYPT_KEY" so that
    the BACKUP_PROG_CRYPT_KEY value can contain spaces.

  2. Escape special regexp characters in the BACKUP_PROG_CRYPT_KEY value
    when it is used as a regexp in grep or sed.

  3. Use single quotes BACKUP_PROG_CRYPT_KEY='my_secret_passphrase'
    in the documentation examples so that the BACKUP_PROG_CRYPT_KEY value
    can contain special characters like $,
    cf. https://github.com/rear/rear/issues/2157#issuecomment-506496775

  4. Recommend to not use special characters in the
    BACKUP_PROG_CRYPT_KEY value to be on the safe side
    against things breaking in unexpected weird ways when certain code
    in ReaR is not yet safe against arbitrary special characters in values
    cf. https://github.com/rear/rear/issues/1372

jsmeix commented at 2019-07-09 07:59:

I tested the escaped_regexp code in the new
usr/share/rear/build/default/960_remove_encryption_keys.sh
here by using a BACKUP_PROG_CRYPT_KEY with all those
special characters that are listed in the new default.conf here
except the single quote character
on command line

# BACKUP_PROG_CRYPT_KEY=' my $ ` " | & ; ( ) < > { } [ ] . * @ ! ? / \ pass '

# echo "'$BACKUP_PROG_CRYPT_KEY'"
' my $ ` " | & ; ( ) < > { } [ ] . * @ ! ? / \ pass '

# escaped_regexp="$( echo "$BACKUP_PROG_CRYPT_KEY" | sed -e 's/\([[\/.*]\|\]\)/\\&/g' )"

# echo "'$escaped_regexp'"
' my $ ` " | & ; ( ) < > { } \[ \] \. \* @ ! ? \/ \\ pass '

# echo "foo BACKUP_PROG_CRYPT_KEY='$BACKUP_PROG_CRYPT_KEY' bar $BACKUP_PROG_CRYPT_KEY baz" | grep -o "BACKUP_PROG_CRYPT_KEY=.*$escaped_regexp" && echo found
BACKUP_PROG_CRYPT_KEY=' my $ ` " | & ; ( ) < > { } [ ] . * @ ! ? / \ pass ' bar  my $ ` " | & ; ( ) < > { } [ ] . * @ ! ? / \ pass 
found

# echo "foo BACKUP_PROG_CRYPT_KEY='$BACKUP_PROG_CRYPT_KEY' bar $BACKUP_PROG_CRYPT_KEY baz" | sed -e "/BACKUP_PROG_CRYPT_KEY=/s/$escaped_regexp//g"
foo BACKUP_PROG_CRYPT_KEY='' bar  baz

so it seems at least the new
usr/share/rear/build/default/960_remove_encryption_keys.sh
here is safe against special characters in BACKUP_PROG_CRYPT_KEY.

Let's see if that BACKUP_PROG_CRYPT_KEY also works
for a real test...

jsmeix commented at 2019-07-09 09:04:

Surprisingly "rear mkbackup" and "rear recover"
both "just worked" for me with

BACKUP_PROG_CRYPT_ENABLED="yes"
{ BACKUP_PROG_CRYPT_KEY=' my $ ` " | & ; ( ) < > { } [ ] . * @ ! ? / \ pass ' ; } 2>/dev/null

in etc/rear/local.conf so that I will "just merge" it now.

Testing a single quote within BACKUP_PROG_CRYPT_KEY
is left as an exercise to the reader, cf.
https://stackoverflow.com/questions/1250079/how-to-escape-single-quotes-within-single-quoted-strings

[Export of Github issue for rear/rear.]