From: Artem Bityutskiy Date: Fri, 31 Jan 2014 14:37:46 +0000 (+0200) Subject: README: add some more shell coding wisdom X-Git-Tag: accepted/tizen/ivi/20140131.175802~1 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;ds=sidebyside;h=8e7139ff30a2484dab0d167b02dc9a6e5dc4c92d;p=profile%2Fivi%2Fsetup-ivi.git README: add some more shell coding wisdom Change-Id: Ieef51328e79dee318979bf7267623011d4fbd1ac Signed-off-by: Artem Bityutskiy --- diff --git a/README b/README index 18764d4..206d0e9 100644 --- a/README +++ b/README @@ -5,7 +5,8 @@ Some coding style notes for the shell scripts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. Do not use bashisms, install 'dash' and use it to verify that the - scripts are free of bashisms. + scripts are free of bashisms. Please, read this article: + https://wiki.ubuntu.com/DashAsBinSh 2. Do not use all capitals for variables @@ -21,5 +22,24 @@ Some coding style notes for the shell scripts programming practice to make sure no one tricks your commands by adding options to what should be arguments. E.g., 'rm $file' can be made 'rm -rf /" if one makes "$file" to be "-rf /" somehow. 'rm -- $file' would catch this. + +7. Distinguish between options and arguments: + command --option1 --option2 argument1 argument2 + Options are optional, do add "mandatory" options. + Arguments are mandatory, do not add optional arguments. + +8. Quote all the variables. This is important for everything which comes from + outside. But it is better to have this as a habit, jsut quote everything + starting with "$". Well, there exceptions sometimes, e.g., see how $verbose + is used. But these are rare. You can google for shell script attack vectors, + and notice that many of them are about giving tricky inputs with "$" signs, + spaces, and so on. Most of them are based on the fact that people do not + use quotes. + +9. Do not use "echo", use "printf". Well, "echo" is OK to use with "controlled" + data, but it is easier to just always use "printf" to maintain good + discipline. E.g., read this for some insight about why "printf" is safer: + http://unix.stackexchange.com/questions/65803/why-is-printf-better-than-echo + -- Artem Bityutskiy