protect against code injection, interpret vars

profile.sh

@@ -113,6 +113,15 @@ parse_conf()
             value="${value#"${value%%[![:space:]]*}"}"
             value="${value%$'\r'}"
 
+            # Protect against command injection by disallowing certain characters in keys
+            value="${value//\`/}"
+            value="${value//\$\(/}"
+
+            # Correctly interpretet internal variables (e.g. $HOME)
+            if [[ "$value" == *\$* ]]; then
+                value=$(envsubst <<< "$value")
+            fi
+
             # Strip quotes (handling both " and ')
             value="${value%\"}"; value="${value#\"}"
             value="${value%\'}"; value="${value#\'}"
@@ -122,7 +131,8 @@ parse_conf()
             current_array["$key"]="$value"
         fi
     done < "$config_file"
-}# ------------------------------------------------------------------------------
+}
+# ------------------------------------------------------------------------------
 
 
 # ------------------------------------------------------------------------------