From f390dbebc1a950256f9f202ad49d2e6feed6cdb6 Mon Sep 17 00:00:00 2001
From: Peter Schiffer <peter@pschiffer.eu>
Date: Thu, 26 Mar 2020 23:51:02 +0100
Subject: [PATCH] Check for EASYRSA_PASSIN and EASYRSA_PASSOUT vars in config
 file

and refuse to continue if they are present there, as they might containg
passwords.
---
 easyrsa3/easyrsa | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index d0d1907..c8ac368 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1645,6 +1645,12 @@ vars_setup() {
 	# If a vars file was located, source it
 	# If $EASYRSA_NO_VARS is defined (not blank) this is skipped
 	if [ -z "$EASYRSA_NO_VARS" ] && [ -n "$vars" ]; then
+		if grep -Eq 'EASYRSA_PASSIN|EASYRSA_PASSOUT' "$vars"; then
+			die "\
+Variable EASYRSA_PASSIN or EASYRSA_PASSOUT has been found in the configuration \
+file. Storing sensitive information in the configuration file is not \
+recommended - please remove it from there before continuing."
+		fi
 		#shellcheck disable=SC2034
 		EASYRSA_CALLER=1 
 		# shellcheck disable=SC1090