2 SC2223
Vidar Holen edited this page 2018-04-28 12:36:03 -07:00

This default assignment may cause DoS due to globbing. Quote it.

Problematic code:

: ${COLUMNS:=80}

Correct code:

: "${COLUMNS:=80}"

Rationale:

This statement is an idiomatic way of assigning a default value to an environment variable. However, even though it's passed to : which ignores arguments, it's better to quote it.

If COLUMNS='/*/*/*/*/*/*', the unquoted, problematic code may spend 30+ minutes trashing the disk as it unnecessarily tries to glob expand the value.

The correct code uses double quotes to avoid glob expansion, and therefore does not have this problem.

When quoting, make sure to update any inner quotes:

: ${var:='foo'}    # Assigns foo without quotes
: "${var:='foo'}"  # Assigns 'foo' with quotes

Exceptions:

None, though this issue is largely theoretical.