From 72ae82f64836bd784c3bfa802929d94e08903d2d Mon Sep 17 00:00:00 2001
From: Earnestly <zibeon@googlemail.com>
Date: Thu, 21 May 2020 22:03:42 +0100
Subject: [PATCH] sx: prevent wordsplitting on export

Although there is apparently an update to this aspect of POSIX[0] it is
possible for an implementation[1] to induce wordsplitting during an export
assignment.

For example, with both mrsh and an older version of dash, the following
behaviour is observed:

        $ var='contains spaces'
        $ export ENVAR=$var
        $ printf '[%s]\n' "$ENVAR"
        [contains]

This commit additionally guards against file names containing leading
hyphens as is possible with user supplied inputs.

0. https://git.kernel.org/pub/scm/utils/dash/dash.git/commit/?id=cbb71a836874d176809a34e22f6b6e4e3ba8c85b
1. https://github.com/emersion/mrsh/issues/150
---
 sx | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/sx b/sx
index 528750b..92facc8 100755
--- a/sx
+++ b/sx
@@ -24,11 +24,10 @@ tty=${tty#/dev/tty}
 
 cfgdir=${XDG_CONFIG_HOME:-$HOME/.config}/sx
 datadir=${XDG_DATA_HOME:-$HOME/.local/share}/sx
+mkdir -p -- "$cfgdir" "$datadir"
 
-mkdir -p "$cfgdir" "$datadir"
-
-export XAUTHORITY=${XAUTHORITY:-$datadir/xauthority}
-touch "$XAUTHORITY"
+export XAUTHORITY="${XAUTHORITY:-$datadir/xauthority}"
+touch -- "$XAUTHORITY"
 
 trap 'cleanup' EXIT
 xauth add :"$tty" MIT-MAGIC-COOKIE-1 "$(od -An -N16 -tx /dev/urandom | tr -d ' ')"