From 0e69254b9d22e2d5adf3f69946986dad69a4c387 Mon Sep 17 00:00:00 2001
From: Developer <dev@localhost>
Date: Fri, 20 Mar 2026 01:33:26 -0400
Subject: [PATCH] Fix: Proper IFS restoration in all files (HIGH priority)

HIGH PRIORITY FIXES:
- lib/attack-patterns.sh:668 - Save/restore IFS around echo
- lib/php-analyzer.sh:511 - Save/restore IFS around sort operation
- modules/security/live-attack-monitor-v2.sh:1629 - Save/restore IFS properly

Issue: Modifying IFS without restoring it to previous value causes
word splitting issues in subsequent commands. Using 'unset IFS' is
less reliable than saving and restoring the original value.

Pattern applied:
  old_IFS=$IFS
  IFS='value'
  ...operation...
  IFS=$old_IFS

RESULTS:
- 3 HIGH IFS issues fixed
- Command execution now reliable after IFS modifications
---
 lib/attack-patterns.sh                     | 5 ++++-
 lib/php-analyzer.sh                        | 6 ++++--
 modules/security/live-attack-monitor-v2.sh | 8 +++++---
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh
index 50b3403..e15169f 100644
--- a/lib/attack-patterns.sh
+++ b/lib/attack-patterns.sh
@@ -665,7 +665,10 @@ detect_all_attacks() {
     fi
 
     if [ ${#attacks[@]} -gt 0 ]; then
-        IFS=','; echo "${attacks[*]}"
+        local old_IFS="$IFS"
+        IFS=','
+        echo "${attacks[*]}"
+        IFS="$old_IFS"
     else
         echo ""
     fi
diff --git a/lib/php-analyzer.sh b/lib/php-analyzer.sh
index 525d894..0a2903f 100644
--- a/lib/php-analyzer.sh
+++ b/lib/php-analyzer.sh
@@ -508,8 +508,10 @@ analyze_domain_traffic_advanced() {
     done
 
     # Sort values
-    IFS=$'\n' rpm_sorted=($(sort -n <<<"${rpm_values[*]}"))
-    unset IFS
+    local old_IFS="$IFS"
+    IFS=$'\n'
+    rpm_sorted=($(sort -n <<<"${rpm_values[*]}"))
+    IFS="$old_IFS"
 
     local peak_rpm=${rpm_sorted[-1]:-0}
 
diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 2637f04..0ba7060 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -1626,13 +1626,15 @@ show_blocking_menu() {
     fi
 
     # Sort by score
-    IFS=$'\n' blockable_list=($(sort -t'|' -k2 -rn <<<"${blockable_list[*]}"))
-    unset IFS
+    local old_IFS="$IFS"
+    IFS=$'\n'
+    blockable_list=($(sort -t'|' -k2 -rn <<<"${blockable_list[*]}"))
+    IFS="$old_IFS"
 
     # Display IPs
     local idx=1
     for entry in "${blockable_list[@]}"; do
-        IFS='|' read -r ip score hits attacks <<< "$entry"
+        IFS='|' read -r ip score hits attacks <<< "$entry" || true
         local level=$(get_threat_level "$score")
         local color=$(get_threat_color "$level")