From 4b0273751b0326756a41bce1dc127bde58ec47d7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 12 Apr 2026 03:04:39 +0000
Subject: [PATCH 1/2] Initial plan


From 1d4385f9428bb63cbe97939257aa3405c99d991d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 12 Apr 2026 03:07:02 +0000
Subject: [PATCH 2/2] fix(vhost-install): remove invalid local keywords, fix
 printf quoting, eliminate IFS manipulation

Agent-Logs-Url: https://github.com/EngineScript/EngineScript/sessions/d9673092-1c89-400b-80ee-c42f94b6577b

Co-authored-by: PDowney <11467177+PDowney@users.noreply.github.com>
---
 CHANGELOG.md                             | 7 +++++++
 scripts/functions/vhost/vhost-install.sh | 7 +++----
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4494af07..ee5763e2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,13 @@ Changes are organized by date, with the most recent changes listed first.
 
 ## 2026-04-12
 
+### 🐛 VHOST INSTALL SHELL CORRECTNESS & SECURITY FIXES
+
+- Removed invalid `local` keyword from `create_db_sql` declaration in `scripts/functions/vhost/vhost-install.sh`; `local` has no effect outside a function and was misleading.
+- Removed invalid `local` keyword from `SQL_ESCAPED_PSWD` declaration in `scripts/functions/vhost/vhost-install.sh` for the same reason.
+- Changed the `printf -v create_db_sql` format string from single quotes to double quotes (with backticks escaped as `\``) to satisfy shell best-practice linting (SC2016 — expressions don't expand in single quotes).
+- Replaced the IFS-manipulation subshell (`IFS='|'; echo "${MULTIPART_PUBLIC_SUFFIXES[*]}"`) used to build `MULTIPART_SUFFIX_CASE_PATTERN` with a `printf`-based join (`printf '%s|'` + trailing-`|` strip), eliminating the HIGH-severity IFS side-effect security concern.
+
 ### 🔒 VHOST INSTALL SECURITY & VALIDATION FIXES
 
 - Added explicit `return` statement at the end of `escape_sql_string_literal()` in `scripts/functions/vhost/vhost-install.sh` to satisfy shell best-practice linting (SC2151/explicit-return warning).
diff --git a/scripts/functions/vhost/vhost-install.sh b/scripts/functions/vhost/vhost-install.sh
index c817b02f..921b1e54 100644
--- a/scripts/functions/vhost/vhost-install.sh
+++ b/scripts/functions/vhost/vhost-install.sh
@@ -51,7 +51,8 @@ validate_db_identifier() {
     exit 1
   fi
 }
-MULTIPART_SUFFIX_CASE_PATTERN="$(IFS='|'; echo "${MULTIPART_PUBLIC_SUFFIXES[*]}")"
+MULTIPART_SUFFIX_CASE_PATTERN="$(printf '%s|' "${MULTIPART_PUBLIC_SUFFIXES[@]}")"
+MULTIPART_SUFFIX_CASE_PATTERN="${MULTIPART_SUFFIX_CASE_PATTERN%|}"
 
 # Check if services are running
 check_required_services
@@ -282,14 +283,12 @@ if [[ "${INSTALL_WORDPRESS}" == "1" ]]; then
 
   echo "Randomly generated MySQL database credentials for ${DOMAIN}."
 
-  local create_db_sql
-  printf -v create_db_sql 'CREATE DATABASE `%s` CHARACTER SET utf8mb4 COLLATE utf8mb4_uca1400_ai_ci;' "${DB}"
+  printf -v create_db_sql "CREATE DATABASE \`%s\` CHARACTER SET utf8mb4 COLLATE utf8mb4_uca1400_ai_ci;" "${DB}"
   if ! sudo mariadb -e "${create_db_sql}"; then
     echo "Error: Failed to create database '${DB}' for domain '${DOMAIN}'." >&2
     exit 1
   fi
 
-  local SQL_ESCAPED_PSWD
   SQL_ESCAPED_PSWD="$(escape_sql_string_literal "${PSWD}")"
 
   if ! sudo mariadb -e "CREATE USER '${USR}'@'localhost' IDENTIFIED BY '${SQL_ESCAPED_PSWD}';"; then