Skip to content

fix(vhost-install): remove invalid local outside functions, fix printf quoting, eliminate IFS manipulation #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
PDowney merged 2 commits into from
Apr 12, 2026
+10 −4
Merged

fix(vhost-install): remove invalid local outside functions, fix printf quoting, eliminate IFS manipulation #199

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4b02737
Initial plan
Copilot Apr 12, 2026
1d4385f
fix(vhost-install): remove invalid local keywords, fix printf quoting…
Copilot Apr 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,13 @@ Changes are organized by date, with the most recent changes listed first.

## 2026-04-12

### 🐛 VHOST INSTALL SHELL CORRECTNESS & SECURITY FIXES

- Removed invalid `local` keyword from `create_db_sql` declaration in `scripts/functions/vhost/vhost-install.sh`; `local` has no effect outside a function and was misleading.
- Removed invalid `local` keyword from `SQL_ESCAPED_PSWD` declaration in `scripts/functions/vhost/vhost-install.sh` for the same reason.
- Changed the `printf -v create_db_sql` format string from single quotes to double quotes (with backticks escaped as `\``) to satisfy shell best-practice linting (SC2016 — expressions don't expand in single quotes).
- Replaced the IFS-manipulation subshell (`IFS='|'; echo "${MULTIPART_PUBLIC_SUFFIXES[*]}"`) used to build `MULTIPART_SUFFIX_CASE_PATTERN` with a `printf`-based join (`printf '%s|'` + trailing-`|` strip), eliminating the HIGH-severity IFS side-effect security concern.

### 🔒 VHOST INSTALL SECURITY & VALIDATION FIXES

- Added explicit `return` statement at the end of `escape_sql_string_literal()` in `scripts/functions/vhost/vhost-install.sh` to satisfy shell best-practice linting (SC2151/explicit-return warning).
Expand Down
7 changes: 3 additions & 4 deletions scripts/functions/vhost/vhost-install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ validate_db_identifier() {
exit 1
fi
}
MULTIPART_SUFFIX_CASE_PATTERN="$(IFS='|'; echo "${MULTIPART_PUBLIC_SUFFIXES[*]}")"
MULTIPART_SUFFIX_CASE_PATTERN="$(printf '%s|' "${MULTIPART_PUBLIC_SUFFIXES[@]}")"
MULTIPART_SUFFIX_CASE_PATTERN="${MULTIPART_SUFFIX_CASE_PATTERN%|}"

# Check if services are running
check_required_services
Expand Down Expand Up @@ -282,14 +283,12 @@ if [[ "${INSTALL_WORDPRESS}" == "1" ]]; then

echo "Randomly generated MySQL database credentials for ${DOMAIN}."

local create_db_sql
printf -v create_db_sql 'CREATE DATABASE `%s` CHARACTER SET utf8mb4 COLLATE utf8mb4_uca1400_ai_ci;' "${DB}"
printf -v create_db_sql "CREATE DATABASE \`%s\` CHARACTER SET utf8mb4 COLLATE utf8mb4_uca1400_ai_ci;" "${DB}"
if ! sudo mariadb -e "${create_db_sql}"; then
echo "Error: Failed to create database '${DB}' for domain '${DOMAIN}'." >&2
exit 1
fi

local SQL_ESCAPED_PSWD
SQL_ESCAPED_PSWD="$(escape_sql_string_literal "${PSWD}")"

if ! sudo mariadb -e "CREATE USER '${USR}'@'localhost' IDENTIFIED BY '${SQL_ESCAPED_PSWD}';"; then
Expand Down
Loading