install.sh: Avoid arbitrary cmd exe

[why] There is some risk that an arbitrary command can be smuggled in and possibly executed with root rights in some situations. See PR #1861. [how] Use xargs instead of eval to store the predefined filter arguments (that come as one string) into individual arguments of the find command. Reported-by: Nick Brady <nbgeniu1@gmail.com> Signed-off-by: Fini Jastrow <ulf.fini.jastrow@desy.de>
2025-10-30 23:43:47 +02:00 · 2025-05-08 10:39:56 +02:00
parent 7f220bd8bc
commit 6edfff3d31
1 changed files with 5 additions and 10 deletions
--- a/install.sh
+++ b/install.sh
@@ -157,18 +157,13 @@ else
  find_filter="-not -name '*NerdFontMono*' -and -not -name '*NerdFontPropo*' -and -name '*NerdFont*'"
 fi

-# Construct directories to be searched
-implode find_dirs "\" \"" "${nerdfonts_dirs[@]}"
-find_dirs="\"$find_dirs\""
-
-# Put it all together into the find command we want
-find_command="find $find_dirs -iname '*.[ot]tf' $find_filter -type f -print0"
-
 # Find all the font files and store in array
 files=()
-while IFS=  read -r -d $'\0'; do
-  files+=("$REPLY")
-done < <(eval "$find_command")
+for dir in "${nerdfonts_dirs[@]}"; do
+  while IFS=  read -r -d $'\0'; do
+    files+=("$REPLY")
+  done < <(echo "${find_filter} -print0" | xargs -- find "${dir}" -iname '*.[ot]tf' -type f)
+done

 #
 # Remove duplicates (i.e. when both otf and ttf version present)