Evaluation of modulecmd.tcl is not escaped properly in modules/init/...
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
modules (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Even though "modulecmd.tcl" returns shell code that contains asterisks (*), when it is executed inside the init scripts, the returned code is generally not protected by quotes.
It can therefore happen, that expressions like "*x*" inside that code are extended to a folder or filenames in the current working directory, before the returned code is evaluated by eval.
In the best case this will lead to MODULES_
I did not have the time to check if that also mean that one can execute arbitrary code, if you are able to create arbitrary file or folder in the user home folder.
I was able to trigger this issue using sh or bash when running scripts, I have not checked if other shells als suffer from this behavior.
The error messages in bash looked like this in my case:
/usr/share/
/usr/share/
/usr/share/
/usr/share/
I am running "environment 4.1.1-1" on Ubuntu 18.04.1 LTS.
Putting quotes around the returned value from modulecmd.tcl fixes the issue, e.g. in the case of bash /usr/share/
eval "`${_mlre:
And here is the upstream commit that fixes this bug (part of v4.1.2 release):
https:/ /github. com/cea- hpc/modules/ commit/ 468f16f9ec477f1 501d643675b5d4b ea2e344e8b