[Sugar-devel] Quoting in shell scripts (was: Re: [sugar-devel] Recent fiddlings with Print Support)

[Jonas Smedegaard]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

On Wed, May 13, 2009 at 04:33:22PM +0530, Vamsi Krishna Davuluri wrote:

>#in case its not defined
>TMPDIR="/tmp"

Above means that you override if it was defined.  Use this instead:

TMPDIR="${TMPDIR:-/tmp}"

Or use mktemp which has same fallback (and more!) internally.


># we are creating a dummy folder, which can take different file types using
>mkdir, change to ="/tmp/cups-odftops"

It is common practice to keep lines maximum 72 characters long, to avoid 
them wrapping in e.g. emails.


>sandbox="${TMPDIR-/tmp}/cups-odftops.$$$$"

There is absolutely no improved security in 4x$.  $$ resolves to the 
current process id, which (on most systems?) is not random but 
aequential so relatively easy to guess by evil-doers.  $$$$ simply means 
use the same process id twice.

My recommendation was to use mktemp with a _skeleton_ value that 
includes XXXX, which means add a random number that is 4 characters 
long.


>(umask 077 && mkdir "$sandbox") || exit 1

If a system for some reason fails to set umask, above command silently 
continues!


Kind regards,

  - Jonas

- -- 
* Jonas Smedegaard - idealist og Internet-arkitekt
* Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAkoK4SsACgkQn7DbMsAkQLgpAACfSuqCDsFQmFwCPYTjKVSyKRKR
rLUAnA2/5HuoN3VnXc2+3/iaznf8dHgG
=cqf9
-----END PGP SIGNATURE-----