Bug#904087: emacsspeak-ss postrm: potentially unsafe shell code
the prerm script of emacspeak-ss contains a perl script as a
here document (which in reality is read by perl -x) like this:
perl -x $0 # execute this file as a perl program
true <<EOF # bash discards everything from here to EOF
[some perl code]
Written this way, the here document is expanded by the shell. The result
of this expansion is sent to the true command, and the perl interpreter
sees the original unexpanded perl script. The potential problem is that
shell expansion may have side effects through subshell expansion and
parameter expansion with assignments, so this seems unsafe.
We suggest to replace the second line of the above snippet by
since the quote character in the delimiter tells the shell to not
expand the here docment.
-Yann and Ralf.
Institut de Recherche en Informatique Fondamentale
Équipe Preuves, Programmes et Systèmes
Université Paris Diderot, Paris, France.