Skip to content

Fix double-quoted trap in tfenv-install to handle paths safely#465

Merged
Zordrak merged 1 commit intomasterfrom
fix/455-double-quoted-trap
Apr 24, 2026
Merged

Fix double-quoted trap in tfenv-install to handle paths safely#465
Zordrak merged 1 commit intomasterfrom
fix/455-double-quoted-trap

Conversation

@Zordrak
Copy link
Copy Markdown
Collaborator

@Zordrak Zordrak commented Apr 24, 2026

Fixes #455

Replaces the double-quoted trap string with a cleanup function:

# Before:
trap "rm -rf ${download_tmp}" EXIT;

# After:
cleanup_download() { rm -rf "${download_tmp}"; }
trap cleanup_download EXIT;

The previous pattern expanded ${download_tmp} at trap definition time without quotes, making it vulnerable to word-splitting if the temp path contained spaces or shell metacharacters. The function approach expands the variable at execution time with proper quoting.

Testing

  • ./test/run.sh test_install_and_use.sh — all tests pass on Linux (exercises the install codepath and temp cleanup for every version installed).

@Zordrak
Fix double-quoted trap in tfenv-install to handle paths safely
1185985 
Fix #455: Replace double-quoted trap string with a cleanup function.

The previous "rm -rf ${download_tmp}" trap expanded the variable at
definition time without quotes, making it vulnerable to word-splitting
if the temp path contained spaces. Using a function reference ensures
the variable is expanded at execution time with proper quoting.
@Zordrak Zordrak merged commit d3be113 into master Apr 24, 2026
5 checks passed
@Zordrak Zordrak deleted the fix/455-double-quoted-trap branch April 24, 2026 15:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: Double-quoted trap in tfenv-install allows path injection

1 participant

@Zordrak