From e0a029591f1ed1abca4e2b7472945b36be56ca6b Mon Sep 17 00:00:00 2001
From: Jan Schaumann <jschauma@netmeister.org>
Date: Tue, 10 Feb 2015 18:35:18 -0500
Subject: [PATCH] 2015-02-10:  * merge changes from Y!:    * change '-c' to
 '-f', since login shells might get invoked with '-c',      which opens up the
 possibility of allowing a user to provide their      own certificate via 'ssh
 host -- /dev/tty'    * correct error reporting, since verifyArgs() is
 executed in a subshell    * quote args to verifyArgs

---
 CHANGES            |  8 ++++++++
 doc/sigsh.1        |  6 +++---
 doc/sigsh.1.html   |  4 ++--
 src/sigsh.sh       | 27 +++++++++++++++------------
 test/sigsh.test.pl | 11 ++++++++---
 5 files changed, 36 insertions(+), 20 deletions(-)
 mode change 100644 => 100755 src/sigsh.sh

diff --git a/CHANGES b/CHANGES
index 860a0f7..cddd6e0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,11 @@
+2015-02-10:
+ * merge changes from Y!:
+   * change '-c' to '-f', since login shells might get invoked with '-c',
+     which opens up the possibility of allowing a user to provide their
+     own certificate via 'ssh host -- /dev/tty'
+   * correct error reporting, since verifyArgs() is executed in a subshell
+   * quote args to verifyArgs
+
 2011-08-07:
  * significantly increase performance by only handling input line-by-line
    if we are in trace mode
diff --git a/doc/sigsh.1 b/doc/sigsh.1
index 5202bfc..6cfb697 100644
--- a/doc/sigsh.1
+++ b/doc/sigsh.1
@@ -2,7 +2,7 @@
 .\"
 .\"	This manual page was originally written by Jan Schaumann
 .\"	<jschauma@yahoo-inc.com> in September 2010.
-.Dd February 09, 2011
+.Dd February 10, 2015
 .Dt SIGSH 1
 .Os
 .Sh NAME
@@ -10,7 +10,7 @@
 .Nd a signature verifying shell
 .Sh SYNOPSIS
 .Nm
-.Op Fl c Ar certs
+.Op Fl f Ar certs
 .Op Fl x
 .Op Fl p Ar prog
 .Sh DESCRIPTION
@@ -26,7 +26,7 @@ interpreter.
 .Nm
 supports the following flags:
 .Bl -tag -width s_shell_
-.It Fl c Ar certs
+.It Fl f Ar certs
 Read ceritificates to trust from this file.
 .It Fl p Ar prog
 Pipe commands into this interpreter instead of the default
diff --git a/doc/sigsh.1.html b/doc/sigsh.1.html
index bb30133..074b597 100644
--- a/doc/sigsh.1.html
+++ b/doc/sigsh.1.html
@@ -17,7 +17,7 @@ <h2><a name='sect0' href='#toc0'>Name</a></h2>
 <h2><a name='sect1' href='#toc1'><b>Synopsis</b></a></h2>
 
 <p>
-<b>sigsh</b> [<b>-c</b> <i>certs</i>] [<b>-x</b>] [<b>-p</b> <i>prog</i>]
+<b>sigsh</b> [<b>-f</b> <i>certs</i>] [<b>-x</b>] [<b>-p</b> <i>prog</i>]
 
 <p>
 <h2><a name='sect2' href='#toc2'><b>Description</b></a></h2>
@@ -38,7 +38,7 @@ <h2><a name='sect3' href='#toc3'><b>Options</b></a></h2>
 <p>
 <dl>
 
-<dt><b>-c</b> <i>certs</i> </dt></dt>
+<dt><b>-f</b> <i>certs</i> </dt></dt>
 <dd>Read ceritificates to trust from this file.
 
 <p></dd>
diff --git a/src/sigsh.sh b/src/sigsh.sh
old mode 100644
new mode 100755
index c806c82..2f0af5b
--- a/src/sigsh.sh
+++ b/src/sigsh.sh
@@ -63,14 +63,13 @@ XTRACE=0
 ###
 
 # function : error
-# purpose  : print given message to STDERR and exit unsuccessfully
+# purpose  : print given message to STDERR
 # inputs   : msg
 
 error() {
 	local msg="$@"
 
 	echo "${PROGNAME}: $msg" >&2
-	exit 1
 }
 
 # function : usage
@@ -78,8 +77,8 @@ error() {
 
 usage() {
 	cat <<EOH
-Usage: ${PROGNAME} [-x] [-c certs] [-p program]
-         -c certs    Read certs to trust from this file.
+Usage: ${PROGNAME} [-x] [-f certs] [-p program]
+         -f certs    Read certs to trust from this file.
          -p program  Pipe commands into 'program'.
          -x          Enabled debugging.
 EOH
@@ -89,17 +88,19 @@ EOH
 # purpose  : ensure given arg is sane for shell evaluation by matching it
 #            against a simple restrictive RE
 # inputs   : a string
-# returns  : the given string if it matches, errors out otherwise
+# prints   : the given string if it matches
+# returns  : 0 on success, 1 on invalid input
 
 verifyArg() {
 	local arg="${1}"
 
 	if expr "${arg}" : "[a-zA-Z0-9/_.-]*$" >/dev/null 2>&1 ; then
 		echo "${arg}"
-	else
-		error "Argument must match ^[a-zA-Z0-9/_.-]*$."
-		# NOTREACHED
+		return 0
 	fi
+
+	error "Argument must match ^[a-zA-Z0-9/_.-]*$."
+	return 1
 }
 
 # function : xtrace
@@ -118,13 +119,15 @@ xtrace() {
 ### Main
 ###
 
-while getopts 'c:p:x' opt; do
+while getopts 'f:p:x' opt; do
 	case ${opt} in
-		c)
-			CERTS=$(verifyArg ${OPTARG})
+		f)
+			CERTS=$(verifyArg "${OPTARG}")
+			[ $? -gt 0 ] && exit 1
 		;;
 		p)
-			PROGRAM=$(verifyArg ${OPTARG})
+			PROGRAM=$(verifyArg "${OPTARG}")
+			[ $? -gt 0 ] && exit 1
 		;;
 		x)
 			XTRACE=1
diff --git a/test/sigsh.test.pl b/test/sigsh.test.pl
index 9c70f4b..a817e6e 100644
--- a/test/sigsh.test.pl
+++ b/test/sigsh.test.pl
@@ -6,7 +6,7 @@
 use warnings;
 
 use Test::Command;
-use Test::More tests => 10;
+use Test::More tests => 11;
 
 system("openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mykey.pem -out mycert.pem -batch >/dev/null 2>&1");
 
@@ -17,9 +17,14 @@
 my $perl = `which perl`;
 chomp($perl);
 
-my $sigsh = "sh ../src/sigsh.sh -c ./mycert.pem";
+my $sigsh= "sh ../src/sigsh.sh -f \"foo(); && >/etc/passwd\"";
+my $test = Test::Command->new( cmd => $sigsh);
+$test->stderr_like(qr/: Argument must match /, "invalid input leads to failure");
+
+$sigsh = "sh ../src/sigsh.sh -f ./mycert.pem";
+
 my $cmd = "echo uname | $signed_input | $sigsh";
-my $test = Test::Command->new( cmd => $cmd);
+$test = Test::Command->new( cmd => $cmd);
 $test->stdout_like(qr/^$uname$/, "uname was invoked after verification");
 
 $cmd = "echo uname | $signed_input | $sigsh -x";