fatalerrors/profile
1
0
Fork 0
Code Issues Pull Requests Projects Releases 9 Wiki Activity

protect against code injection, interpret vars

Browse Source
This commit is contained in:
fatalerrors
2026-03-25 14:35:53 +01:00
parent ed5587712e
commit 043fbaef0b
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
profile.sh
View File

@@ -113,6 +113,15 @@ parse_conf()
value="${value#"${value%%[![:space:]]*}"}" value="${value#"${value%%[![:space:]]*}"}"
value="${value%$'\r'}" value="${value%$'\r'}"
# Protect against command injection by disallowing certain characters in keys
value="${value//\`/}"
value="${value//\$\(/}"
# Correctly interpretet internal variables (e.g. $HOME)
if [[ "$value" == *\$* ]]; then
value=$(envsubst <<< "$value")
fi
# Strip quotes (handling both " and ') # Strip quotes (handling both " and ')
value="${value%\"}"; value="${value#\"}" value="${value%\"}"; value="${value#\"}"
value="${value%\'}"; value="${value#\'}" value="${value%\'}"; value="${value#\'}"
@@ -122,7 +131,8 @@ parse_conf()
current_array["$key"]="$value" current_array["$key"]="$value"
fi fi
done < "$config_file" done < "$config_file"
}# ------------------------------------------------------------------------------ }
# ------------------------------------------------------------------------------
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------