My only concern is putting a user-defined value into the environment. The nickname can be anything. I assume that this is for the post-command to operate on in some way?

I suppose I could add a short warning to the documentation about the potential dangers with the environment variable if that's alright?

I'm no security researcher but I've tested some basic attack methods and at least bash seems to not be fooled by (single)quotes, backticks, $(...) or semicolons in the nickname (even without quotes around the variable). Of course bash won't save you if you eval or carelessly use the nickname as part of a filename etc..

My intended use case is to run a small bash script which checks if the nickname matches something like "MachineCertificate" and then sends a notification to the user(s) if something went wrong along with instructions on how to act.

getcert.c defines shell_escape() as a static function. Moving that to util.c and calling it during the setenv should make this more secure.

I think this feature would be a nice addition to certmonger, thanks.

I've opened PR#280 about the shell_escape function to keep things tidy here.

Please rebase this with the merged shell_escape() and call that prior to adding the variables to the environment and I think we're all good.

I plan to do a release this week. It would be nice to include this change.

Hi, sorry for the delay. I've rebased and added escaping for the certificate nickname variable.
I'm not sure if the way I've done the escaping is alright as my understanding of C is pretty rudimentary. I'm open to any feedback and suggestions.

This looks great, thanks for the contribution.