From ffdfd5276352070c69caa7a1b3a6e3139860df86 Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 2 Jan 2026 17:34:56 -0500 Subject: [PATCH] Fix WORDSPLIT issues in for loops (HIGH priority) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Converted unsafe 'for var in $list' loops to 'while read' loops to properly handle items with spaces in names. reference-db.sh (4 fixes): - Line 172: Database iteration (SHOW DATABASES) - Line 330: Server alias iteration (space-separated aliases) - Line 345: Domain iteration (get_user_domains) - Line 414: WordPress config file paths (find results) user-manager.sh (4 fixes): - Line 396: Domain iteration in cPanel log paths - Line 404: Domain iteration in Plesk log paths - Line 410: Domain iteration in InterWorx log paths - Line 632: User iteration (list_all_users) Pattern changes: - for item in $list → while IFS= read -r item - Added [ -z "$item" ] && continue for safety - Used echo "$list" | while or piped commands directly This prevents word splitting on spaces in database names, domain names, file paths, and usernames. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- lib/reference-db.sh | 21 +++++++++++---------- lib/user-manager.sh | 18 ++++++++++++------ 2 files changed, 23 insertions(+), 16 deletions(-) diff --git a/lib/reference-db.sh b/lib/reference-db.sh index 4c576f6..3ccda0e 100755 --- a/lib/reference-db.sh +++ b/lib/reference-db.sh @@ -166,11 +166,12 @@ build_databases_section() { mysql_cmd="mysql -uadmin -p${plesk_mysql_pass}" fi - local all_dbs=$($mysql_cmd -Ns -e "SHOW DATABASES" 2>/dev/null | grep -v "^information_schema$\|^mysql$\|^performance_schema$\|^sys$" || true) - local total_dbs=$(echo "$all_dbs" | wc -l) + local total_dbs=$($mysql_cmd -Ns -e "SHOW DATABASES" 2>/dev/null | grep -v "^information_schema$\|^mysql$\|^performance_schema$\|^sys$" | wc -l) local current=0 - for db in $all_dbs; do + # Use while read to safely iterate over database names (handles spaces) + $mysql_cmd -Ns -e "SHOW DATABASES" 2>/dev/null | grep -v "^information_schema$\|^mysql$\|^performance_schema$\|^sys$" | while IFS= read -r db; do + [ -z "$db" ] && continue current=$((current + 1)) show_progress $current $total_dbs "Indexing databases..." @@ -328,7 +329,8 @@ build_domains_section() { # Also add aliases as separate entries if [ -n "$server_alias" ]; then - for alias in $server_alias; do + # Convert space-separated aliases to newline-separated for safe iteration + echo "$server_alias" | tr ' ' '\n' | while IFS= read -r alias; do [ -z "$alias" ] && continue [ -n "${seen_domains[$alias]:-}" ] && continue @@ -341,9 +343,9 @@ build_domains_section() { else # Fallback for non-cPanel or if userdata not available local primary_domain=$(get_user_domains "$user" | head -1) - local all_domains=$(get_user_domains "$user") - for domain in $all_domains; do + # Use while read to safely iterate over domains (handles spaces) + get_user_domains "$user" | while IFS= read -r domain; do [ -z "$domain" ] && continue [ -n "${seen_domains[$domain]:-}" ] && continue @@ -409,10 +411,9 @@ build_domains_section() { build_wordpress_section() { echo "[WORDPRESS]" >> "$SYSREF_DB" - # Find all wp-config.php files - local wp_configs=$(find $SYS_USER_HOME_BASE -name "wp-config.php" -type f 2>/dev/null) - - for wp_config in $wp_configs; do + # Find all wp-config.php files and iterate safely (handles spaces in paths) + find "$SYS_USER_HOME_BASE" -name "wp-config.php" -type f 2>/dev/null | while IFS= read -r wp_config; do + [ -z "$wp_config" ] && continue local wp_dir=$(dirname "$wp_config") # Extract username from path (/home/username/...) diff --git a/lib/user-manager.sh b/lib/user-manager.sh index 22d73e4..a9c6e46 100755 --- a/lib/user-manager.sh +++ b/lib/user-manager.sh @@ -394,7 +394,9 @@ get_user_log_files() { case "$SYS_CONTROL_PANEL" in cpanel) - for domain in $domains; do + # Iterate safely over domains (handles spaces in domain names) + echo "$domains" | while IFS= read -r domain; do + [ -z "$domain" ] && continue echo "${SYS_LOG_DIR}/${domain}" echo "${SYS_LOG_DIR}/${domain}-ssl_log" done @@ -402,13 +404,17 @@ get_user_log_files() { plesk) echo "/var/www/vhosts/${username}/statistics/logs/access_log" echo "/var/www/vhosts/${username}/statistics/logs/error_log" - for domain in $domains; do + # Iterate safely over domains (handles spaces in domain names) + echo "$domains" | while IFS= read -r domain; do + [ -z "$domain" ] && continue echo "/var/www/vhosts/${domain}/statistics/logs/access_log" echo "/var/www/vhosts/${domain}/statistics/logs/error_log" done ;; interworx) - for domain in $domains; do + # Iterate safely over domains (handles spaces in domain names) + echo "$domains" | while IFS= read -r domain; do + [ -z "$domain" ] && continue echo "/home/${username}/var/${domain}/logs/access_log" echo "/home/${username}/var/${domain}/logs/error_log" done @@ -628,9 +634,9 @@ get_database_owner() { # Database names are typically: username_dbname local prefix=$(echo "$db_name" | cut -d_ -f1) - # Check if this prefix matches a user - local users=$(list_all_users) - for user in $users; do + # Check if this prefix matches a user (iterate safely over usernames) + list_all_users | while IFS= read -r user; do + [ -z "$user" ] && continue if [ "$user" = "$prefix" ]; then echo "$user" return 0