[Swan-dev] please use more double quotes in shell scripts!
D. Hugh Redelmeier
hugh at mimosa.com
Wed Jul 25 15:12:50 UTC 2018
The Bourne Shell and all relatives are very unforgiving about requiring
quoting. Most uses of $ should be quoted to avoid surprises.
It's easy to not bother, and the result usually works, but that's just not
good enough when scripting.
For example, a filename can have a space in it. This is not common with
traditional UNIX folks, but perfectly legal, and it shows up more and
more often when GUIs are used. And why not? The main reason is that
shell parsing makes this a little awkward.
But whitespace in filenames is not the only version of the problem. Other
metacharacters might need to be neutralized.
<https://www.xkcd.com/327/>
This problem is well known to web developers because they have to deal
with hostile users. So it amused me that the example sparking this post
is in our testing/web directory.
Nothing in testing/ could spark a CVE. We should check our shell
scripts that could.
My untested changes to testing/web/gime-git-description.sh are below.
First I'll highlight some points about those changes.
- The following looks odd because the inside quotes are not
backslashed. It works because the (usefully) peculiar interaction
of SH rules. There are too many complexities lurking in SH.
webdir="$(cd "$(dirname $0)" && pwd)"
- I didn't quote $# because I "know" that it could not have
meta-characters within it. (Yes, I just used "scare-quotes" in that
sentence.) But this goes against The Rule:
Always quote uses of '$' UNLESS you have a reason why you must
not. The usual reason is that the thing is a list.
- In this, I group a couple of macro references within one quote.
echo "${version}-${branch}"
A more straight-forward application of The Rule would result in:
echo "${version}"-"${branch}"
Perhaps straight-forward should win.
diff --git a/testing/web/gime-git-description.sh b/testing/web/gime-git-description.sh
index f653adfc2..2777f505b 100755
--- a/testing/web/gime-git-description.sh
+++ b/testing/web/gime-git-description.sh
@@ -18,7 +18,7 @@ fi
set -eu
-webdir=$(cd $(dirname $0) && pwd)
+webdir="$(cd "$(dirname $0)" && pwd)"
# cd to the repo
if test $# -gt 0 ; then
@@ -26,6 +26,6 @@ if test $# -gt 0 ; then
shift
fi
-version=$(git describe --long)
-branch=$(${webdir}/gime-git-branch.sh .)
-echo ${version}-${branch}
+version="$(git describe --long)"
+branch="$("${webdir}"/gime-git-branch.sh .)"
+echo "${version}-${branch}"
More information about the Swan-dev
mailing list