upstream/borgbackup
1
0
Fork 0
mirror of https://github.com/borgbackup/borg.git synced 2026-02-18 18:19:16 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

passphrase: fail if multiple passphrase env vars are set, fixes #8834

Browse source 
If multiple environment variables for the same passphrase context are
provided (e.g., both BORG_PASSPHRASE and BORG_PASSCOMMAND), Borg now
terminates with an error instead of silently choosing one.

This prevents the issue where an old BORG_PASSPHRASE in the environment
could override a newly intended BORG_PASSCOMMAND or BORG_PASSPHRASE_FD.
This commit is contained in:
Thomas Waldmann 2026-02-14 22:16:55 +01:00
parent 40dcfe4d99
commit a963011004
No known key found for this signature in database
GPG key ID: 9F88FB52FAF7B393
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
src/borg/helpers/passphrase.py
View file

@ -40,6 +40,12 @@ class PasswordRetriesExceeded(Error):
class Passphrase(str):
@classmethod
def _check_ambiguity(cls, vars):
set_vars = [v for v in vars if v in os.environ]
if len(set_vars) > 1:
raise Error("More than one passphrase environment variable is set: " + ", ".join(set_vars))
@classmethod
def _env_passphrase(cls, env_var, default=None):
passphrase = os.environ.get(env_var, default)
@ -48,6 +54,10 @@ class Passphrase(str):
@classmethod
def env_passphrase(cls, default=None, other=False):
if other:
cls._check_ambiguity(["BORG_OTHER_PASSPHRASE", "BORG_OTHER_PASSCOMMAND", "BORG_OTHER_PASSPHRASE_FD"])
else:
cls._check_ambiguity(["BORG_PASSPHRASE", "BORG_PASSCOMMAND", "BORG_PASSPHRASE_FD"])
env_var = "BORG_OTHER_PASSPHRASE" if other else "BORG_PASSPHRASE"
passphrase = cls._env_passphrase(env_var, default)
if passphrase is not None: