hardening

2026-04-15 08:11:58 +02:00
parent 60a159c3ea
commit 322d03ed4c
1 changed files with 31 additions and 16 deletions
--- a/profile.sh
+++ b/profile.sh
@@ -52,30 +52,42 @@ fi
 # path* : private functions for PATH variable management
 pathremove()
 {
+    [[ -z "$1" ]] && return 0
    local IFS=':'
-    local newpath
-    local dir
-    local pathvar=${2:-PATH}
+    local newpath dir
+    local pathvar="${2:-PATH}"
+    [[ "$pathvar" =~ ^[a-zA-Z_][a-zA-Z0-9_]*$ ]] || {
+        printf "pathremove: unsafe variable name '%s'\n" "$pathvar" >&2
+        return 1
+    }
    for dir in ${!pathvar}; do
-        if [ "$dir" != "$1" ]; then
-            newpath=${newpath:+$newpath:}$dir
-        fi
+        [[ "$dir" != "$1" ]] && newpath="${newpath:+$newpath:}$dir"
    done
-    export $pathvar="$newpath"
+    export "$pathvar=$newpath"
 }

 pathprepend()
 {
-    pathremove $1 $2
-    local pathvar=${2:-PATH}
-    export $pathvar="$1${!pathvar:+:${!pathvar}}"
+    [[ -z "$1" ]] && return 0
+    local pathvar="${2:-PATH}"
+    [[ "$pathvar" =~ ^[a-zA-Z_][a-zA-Z0-9_]*$ ]] || {
+        printf "pathprepend: unsafe variable name '%s'\n" "$pathvar" >&2
+        return 1
+    }
+    pathremove "$1" "$pathvar"
+    export "$pathvar=$1${!pathvar:+:${!pathvar}}"
 }

 pathappend()
 {
-    pathremove $1 $2
-    local pathvar=${2:-PATH}
-    export $pathvar="${!pathvar:+${!pathvar}:}$1"
+    [[ -z "$1" ]] && return 0
+    local pathvar="${2:-PATH}"
+    [[ "$pathvar" =~ ^[a-zA-Z_][a-zA-Z0-9_]*$ ]] || {
+        printf "pathappend: unsafe variable name '%s'\n" "$pathvar" >&2
+        return 1
+    }
+    pathremove "$1" "$pathvar"
+    export "$pathvar=${!pathvar:+${!pathvar}:}$1"
 }
 # ------------------------------------------------------------------------------

@@ -223,11 +235,14 @@ load_conf system  # Load Bash system behavior configuration (history, pager, etc
 load_conf general # General purpose configuration (compilation flags, etc.)

 # Load module scripts
-for script in $MYPATH/profile.d/*.sh; do
-    if [[ -r $script ]]; then
-        . $script
+shopt -s nullglob
+for script in "$MYPATH/profile.d/"*.sh; do
+    if [[ -f "$script" && -r "$script" ]]; then
+        # shellcheck source=/dev/null
+        . "$script" || printf "[ Warning ] Failed to source module: %s\n" "$script" >&2
    fi
 done
+shopt -u nullglob

 # Interactive shell detection, two methods available each one of those might have different result
 # depending on distribution