From: Kevin Day <Kevin@kevux.org>
Date: Fri, 6 Jun 2025 02:43:35 +0000 (-0500)
Subject: Security: Explicitly define IFS to prevent misuse.
X-Git-Url: https://git.kevux.org/?a=commitdiff_plain;p=control

Security: Explicitly define IFS to prevent misuse.

The scripts are written with certain expectations.
This expectation may not be properly met if the `IFS` value is changed.
This can potentially be used to create some sort of exploit.

Explicitly define IFS and then do so at a local variable scope to prevent affecting the callers IFS setting.
---

diff --git a/install.sh b/install.sh
index c8972d1..fb971b5 100755
--- a/install.sh
+++ b/install.sh
@@ -14,6 +14,7 @@
 #
 
 install_main() {
+  local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope.
 
   if [[ ${SHELL_ENGINE} == "zsh" ]] ; then
     emulate ksh
@@ -877,4 +878,4 @@ install_cleanup() {
   unset install_cleanup
 }
 
-install_main $*
+install_main ${*}