Skip to content

SC2223

Jump to bottom Edit New page
Vidar Holen edited this page Apr 28, 2018 · 2 revisions

This default assignment may cause DoS due to globbing. Quote it.

Problematic code:

: ${COLUMNS:=80}

Correct code:

: "${COLUMNS:=80}"

Rationale:

This statement is an idiomatic way of assigning a default value to an environment variable. However, even though it's passed to : which ignores arguments, it's better to quote it.

If COLUMNS='/*/*/*/*/*/*', the unquoted, problematic code may spend 30+ minutes trashing the disk as it unnecessarily tries to glob expand the value.

The correct code uses double quotes to avoid glob expansion, and therefore does not have this problem.

When quoting, make sure to update any inner quotes:

: ${var:='foo'}    # Assigns foo without quotes
: "${var:='foo'}"  # Assigns 'foo' with quotes

Exceptions:

None, though this issue is largely theoretical.

Add a custom footer

ShellCheck

Each individual ShellCheck warning has its own wiki page like SC1000. Use GitHub Wiki's "Pages" feature guerraart8 to find a specific , or see Checks.

Clone this wiki locally