From e3b33cc9a34150c5ecbed7303f2b8272bdd34eb8 Mon Sep 17 00:00:00 2001 From: Christoph Anton Mitterer Date: Mon, 21 Nov 2022 04:10:34 +0100 Subject: [PATCH] ssh_filter_btrbk.sh: remove unnecessary bashishms MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ssh_filter_btrbk.sh is mainly intended for security purposes and should therefore itself be written with that in mind. It is written for bash, which greatly extends the POSIX Shell Command Language and is incompatible with it in some niche cases. For several reasons, it seems a good idea to convert the program to (mostly) pure POSIX Shell Command Language: • People may try to use the program with other shells (for example when bash is not available) and make errors. More pure `sh` implementations like dash … • … have far less code and also less dependencies, which possibly also reduces the chance for bugs or exploits, • … are less dynamic in development (and have thus possibly a lower chance of incompatible changes) … • … and may run faster. This commit replaces any unnecessary “bashishms” with purely POSIX compatible code, with the exception of the `local`-built-in, which is however supported by most POSIX compatible shells (including dash, klibc-utils’s `sh` and BusyBox’ `sh`) in some way. Signed-off-by: Christoph Anton Mitterer --- ssh_filter_btrbk.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/ssh_filter_btrbk.sh b/ssh_filter_btrbk.sh index e73b565..a7fe4ae 100755 --- a/ssh_filter_btrbk.sh +++ b/ssh_filter_btrbk.sh @@ -22,7 +22,7 @@ file_arg_match="('${file_match}'|${file_match_sane})" # support btrbk < 0.32.0 log_cmd() { - if [[ -n "$enable_log" ]]; then + if [ -n "$enable_log" ]; then logger -p "$1" -t ssh_filter_btrbk.sh "$2 (Name: ${LOGNAME:-}; Remote: ${SSH_CLIENT:-})${3:+: $3}: $SSH_ORIGINAL_COMMAND" fi } @@ -53,7 +53,7 @@ run_cmd() reject_filtered_cmd() { - if [[ -n "$restrict_path_list" ]]; then + if [ -n "$restrict_path_list" ]; then # match any of restrict_path_list, # or any file/directory (matching file_match) below restrict_path path_match="'(${restrict_path_list})(${file_match})?'" @@ -66,7 +66,7 @@ reject_filtered_cmd() # btrbk >= 0.32.0 quotes files, allow both (legacy) path_match="(${path_match}|${path_match_legacy})" - if [[ -n "$allow_compress" ]]; then + if [ -n "$allow_compress" ]; then decompress_match="(${compress_list}) -d -c( -[pT][0-9]+)?" compress_match="(${compress_list}) -c( -[0-9])?( -[pT][0-9]+)?" else @@ -76,7 +76,7 @@ reject_filtered_cmd() # rate_limit_remote and stream_buffer_remote use combined # "mbuffer" as of btrbk-0.29.0 - if [[ -n "$allow_stream_buffer" ]] || [[ -n "$allow_rate_limit" ]]; then + if [ -n "$allow_stream_buffer" ] || [ -n "$allow_rate_limit" ]; then mbuffer_match='mbuffer -v 1 -q( -s [0-9]+[kmgKMG]?)?( -m [0-9]+[kmgKMG]?)?( -[rR] [0-9]+[kmgtKMGT]?)?' else mbuffer_match= @@ -103,12 +103,12 @@ reject_filtered_cmd() # check for "--sudo" option before processing other options sudo_prefix= -for key; do - [[ "$key" == '--sudo' ]] && sudo_prefix='sudo -n ' - [[ "$key" == '--doas' ]] && sudo_prefix='doas -n ' +for key in "$@"; do + [ "$key" = '--sudo' ] && sudo_prefix='sudo -n ' + [ "$key" = '--doas' ] && sudo_prefix='doas -n ' done -while [[ "$#" -ge 1 ]]; do +while [ "$#" -ge 1 ]; do key="$1" case "$key" in @@ -193,7 +193,7 @@ case "$SSH_ORIGINAL_COMMAND" in *\<*) reject_and_die 'unsafe character "<"' ;; *\>*) reject_and_die 'unsafe character ">"' ;; *\`*) reject_and_die 'unsafe character "`"' ;; - *\|*) [[ -n "$allow_compress" ]] || [[ -n "$allow_rate_limit" ]] || [[ -n "$allow_stream_buffer" ]] || reject_and_die 'unsafe character "|"' ;; + *\|*) [ -n "$allow_compress" ] || [ -n "$allow_rate_limit" ] || [ -n "$allow_stream_buffer" ] || reject_and_die 'unsafe character "|"' ;; esac reject_filtered_cmd