Avoid null bytes decryption work-around for files with doubled "Salted" prefix due to #147

jmurty · jmurty · commit 8be50dfdd536 · 2023-02-16T22:09:16.000+11:00
Improve the work-around for files incorrectly encrypted with doubled "Salted" prefixes due to #147 to avoid null byte warnings – and possibly errors – by checking prefix data as hex-encoded values instead of raw bytes which could contain null characters that are not well handled in bash scripts. This should avoid warnings like the following during decryption: warning: command substitution: ignored null byte in input Unfortunately the need for hex-encoding of bytes adds a new requirement for the `hexdump` command.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -43,8 +43,17 @@ system, you must also run the `--upgrade` command in each repository:
 - When transcrypt refuses to do work in a dirty repository, print a list of
   changed files to help the user understand and fix the issue.
 
+### Changed
+
+- The `hexdump` command is now required by Transcrypt. It will be installed
+  already on many systems, or comes with the `bsdmainutils` package on
+  Ubuntu/Debian that was already required to get the `column` command.
+
 ### Fixed
 
+- Avoid null byte warnings when decrypting certain files, caused by a work-
+  around in 2.2.1 to repair files that could have been incorrectly encrypted
+  with 2.2.0 due to issue #147
 - Prevent `cd` commands printing out excess details when `CDPATH` is set (#156)
 
 ## [2.2.1] - 2023-02-11
diff --git a/README.md b/README.md
@@ -55,7 +55,7 @@ The requirements to run transcrypt are minimal:
 - Bash
 - Git
 - OpenSSL
-- `column` command (on Ubuntu/Debian install `bsdmainutils`)
+- `column` and `hexdump` commands (on Ubuntu/Debian install `bsdmainutils`)
 - `xxd` command if using OpenSSL version 3
   (on Ubuntu/Debian is included with `vim`)
 
diff --git a/transcrypt b/transcrypt
@@ -240,10 +240,11 @@ git_smudge() {
 		# that causes garbage characters at top of decrypted files.
 		#
 		# Check file header, which we already know starts with "Salted", to see if
-		# it has exactly the same "Salted__XYZ" prefix mistakenly repeated twice
-		local header_decoded=$(echo "$(head -c48 <"$tempfile")" | openssl base64 -d)
-		local first_salt_prefix=$(echo "$header_decoded" | cut -b 1-16)         # First 16 bytes
-		local maybe_second_salt_prefix=$(echo "$header_decoded" | cut -b 17-32) # Second 16 bytes
+		# it has exactly the same "Salted__XYZ" prefix mistakenly repeated twice.
+		# Base64 decode gives raw bytes, hexdump gives bytes as ASCII hex characters.
+		local header_as_hex=$(echo "$(head -c48 <"$tempfile")" | openssl base64 -d | hexdump -ve '1/1 "%02x"')
+		local first_salt_prefix=$(echo "$header_as_hex" | cut -b 1-32)         # First 32 chars
+		local maybe_second_salt_prefix=$(echo "$header_as_hex" | cut -b 33-64) # Second 32 chars
 
 		# If the salted prefix is repeated -- and not empty, to avoid mistaken match if
 		# base64 decoding fails -- remove the first occurrence before decrypting...
