[Pkg-haskell-maintainers] Bug#753972: shellcheck: detect possibility of argument injection

Paul Wise pabs at debian.org
Sun Jul 6 17:38:50 UTC 2014

Package: shellcheck
Version: 0.3.3-1
Severity: wishlist

Please check for the possibility of argument injection. Here are some
examples of when that can occur and not occur. [1] is an example of how
this can be exploited and [2] has an explanation of the issue.

cp "$file" "$target"     # bad
cp -- "$file" "$target"  # good
cp "./$i" /target        # good

# bad
for i in *.txt; do
    cp "$i" /target

# good
for i in ./*.txt; do
    cp "$i" /target

     1. http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt
     2. http://mywiki.wooledge.org/BashPitfalls#cp_.24file_.24target

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (700, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages shellcheck depends on:
ii  libc6     2.19-4
ii  libffi6   3.1-2
ii  libgmp10  2:6.0.0+dfsg-4

shellcheck recommends no packages.

shellcheck suggests no packages.

-- no debconf information


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-haskell-maintainers/attachments/20140707/6bb5b3c9/attachment.sig>

More information about the Pkg-haskell-maintainers mailing list