Package: shellcheck Version: 0.3.3-1 Severity: wishlist Please check for the possibility of argument injection. Here are some examples of when that can occur and not occur. [1] is an example of how this can be exploited and [2] has an explanation of the issue.
cp "$file" "$target" # bad
cp -- "$file" "$target" # good
cp "./$i" /target # good
# bad
for i in *.txt; do
cp "$i" /target
done
# good
for i in ./*.txt; do
cp "$i" /target
done
1.
http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
2. http://mywiki.wooledge.org/BashPitfalls#cp_.24file_.24target
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable'), (700, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages shellcheck depends on:
ii libc6 2.19-4
ii libffi6 3.1-2
ii libgmp10 2:6.0.0+dfsg-4
shellcheck recommends no packages.
shellcheck suggests no packages.
-- no debconf information
--
bye,
pabs
http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
