From b857ead4151b087cff6395a4c08f0d954bbf53fd Mon Sep 17 00:00:00 2001
From: Patrick McDermott <patrick.mcdermott@libiquity.com>
Date: Tue, 12 Mar 2019 12:07:06 -0400
Subject: ob_substvars(): Validate variable names

---
(limited to 'lib/control.sh')

diff --git a/lib/control.sh b/lib/control.sh
index 439f52a..5be3fbe 100644
--- a/lib/control.sh
+++ b/lib/control.sh
@@ -273,6 +273,17 @@ ob_substvars()
 		fi
 		old_rhs="${rhs}"
 
+		# Validate the variable name.
+		case "${name}" in *[!A-Za-z0-9-]* | '')
+			_ob_warn_msg 'substvar_invalid' "${name}"
+			# Remove the variable expansion altogether.  We can't
+			# just leave the variable unexpanded, because the
+			# presence of the "${" characters would cause this
+			# parser to loop infinitely.
+			string="${lhs}${rhs}"
+			continue
+		esac
+
 		# Perform the substitution.
 		name="$(echo "${name}" | tr 'a-z-' 'A-Z_')"
 		value="$(eval echo \"\$\{"_OB_SUBSTVAR_${name}"\}\")"
--
cgit v0.9.1