From 4e929dbbad9c3b8d2d88f7a44916f14758d39ee5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luc=C3=ADa=20Andrea=20Illanes=20Albornoz?= Date: Sat, 20 Apr 2024 11:13:35 +0200 Subject: etc/README.md: updated. --- etc/README.md | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'etc') diff --git a/etc/README.md b/etc/README.md index 908675bf..ef3fd74e 100644 --- a/etc/README.md +++ b/etc/README.md @@ -968,6 +968,14 @@ by setting ``ARG_MIRROR_DNAME_GIT=...``. [//]: # "{{{ 4.7. Bourne shell coding rules" ## 4.7. Bourne shell coding rules +> N.B. Input sanitisation is mandatory whenever input may form part of a parameter name, most usually +when indexing with input as a key into a (pseudo-)hash, e.g. PKG_ZSH_<...input...>; failing to do so +may introduce security vulnerabilities (e.g.: $(arbitrary_command) and ${arbitrary_variable} facilitating +code execution and information disclosure, resp.) +Do not use this code and these coding rules if this is not possible or impractical. + +*(reproduced from [[shrtl](https://github.com/lalbornoz/shrtl/blob/master/README.md)])* + If no rationale is specified for any specific point, the rationale is avoidance of undefined behaviour and/or implicit behaviour contingent on often subtle special cases, both of which are prone to cause hard to debug or even diagnose bugs. -- cgit v1.2.3