Description
In libexec/tfenv-install line 173, the cleanup trap uses double quotes with variable expansion:
trap "rm -rf ${download_tmp}" EXITBecause the trap string is double-quoted, ${download_tmp} is expanded at trap definition time, not execution time. If the temp directory path contains spaces or shell metacharacters, the rm -rf command will be word-split.
For example, if mktemp returns a path like /tmp/tfenv download.XXXXXX.abc, the trap would execute rm -rf /tmp/tfenv download.XXXXXX.abc — attempting to delete /tmp/tfenv and download.XXXXXX.abc as separate arguments.
Expected
Use single quotes and proper quoting:
Or better, capture to a variable and use a function:
cleanup() { rm -rf "${download_tmp}"; }
trap cleanup EXITImpact
With adversarial or unusual temp paths, the cleanup could delete unintended files. In practice, mktemp on most systems does not produce paths with spaces, but this is still a correctness issue.
Found via
Code review of all source files.
Description
In
libexec/tfenv-installline 173, the cleanup trap uses double quotes with variable expansion:Because the trap string is double-quoted,
${download_tmp}is expanded at trap definition time, not execution time. If the temp directory path contains spaces or shell metacharacters, therm -rfcommand will be word-split.For example, if
mktempreturns a path like/tmp/tfenv download.XXXXXX.abc, the trap would executerm -rf /tmp/tfenv download.XXXXXX.abc— attempting to delete/tmp/tfenvanddownload.XXXXXX.abcas separate arguments.Expected
Use single quotes and proper quoting:
Or better, capture to a variable and use a function:
Impact
With adversarial or unusual temp paths, the cleanup could delete unintended files. In practice,
mktempon most systems does not produce paths with spaces, but this is still a correctness issue.Found via
Code review of all source files.