xdg-utils shell scripts appear to be unsafe
The xdg-utils
scripts have multiple issues associated with variable quoting, handling of read, using legacy backticks, and handling of spaces in path names, to name a few.
Background:
In using xdg-desktop-menu
I discovered that it does not handle directory names with a space in it. This lead me to Issue #117 where this behaviour has been documented. I added to that report by using shellcheck
to discover what kinds of fixes were required to fix this issue. This unearthed a large number of problems which I added to that issue.
I then used shellcheck
to run the same tests across the xdg-utils
POSIX scripts installed in /usr/bin:
- xdg-desktop-icon
- xdg-desktop-menu
- xdg-email
- xdg-icon-resource
- xdg-mime
- xdg-open
- xdg-screensaver
- xdg-settings
- xdg-user-dir
shellcheck
has the ability to export a diff, which I've attached here for each of those scripts:
- shellcheck.xdg-desktop-icon.diff
- shellcheck.xdg-desktop-menu.diff
- shellcheck.xdg-email.diff
- shellcheck.xdg-icon-resource.diff
- shellcheck.xdg-mime.diff
- shellcheck.xdg-open.diff
- shellcheck.xdg-screensaver.diff
- shellcheck.xdg-settings.diff
- shellcheck.xdg-user-dir.diff
Fixing this is unlikely to be as simple as using patch
and given the scope of change, I'm uncomfortable starting the work to "fix" these scripts without maintainer input.
Note that I created these diffs using the following information:
- Shellcheck version: 0.7.1
- xdg-utils version: 1.1.3-4.1
- Debian 11.7
I used the following command:
shellcheck xdg-desktop-icon -f diff > shellcheck.xdg-desktop-icon.diff