Evaluation of modulecmd.tcl is not escaped properly in modules/init/...

Even though "modulecmd.tcl" returns shell code that contains asterisks (*), when it is executed inside the init scripts, the returned code is generally not protected by quotes.

It can therefore happen, that expressions like "*x*" inside that code are extended to a folder or filenames in the current working directory, before the returned code is evaluated by eval.

In the best case this will lead to MODULES_SILENT_SHELL_DEBUG and related flags not working as intended or to a few error messages and an a half initialized shell in the worst. The second case is triggered if the replaced name contains any special shell characters (e.g. "Dropbox (groupname)" in my case).

I did not have the time to check if that also mean that one can execute arbitrary code, if you are able to create arbitrary file or folder in the user home folder.

I was able to trigger this issue using sh or bash when running scripts, I have not checked if other shells als suffer from this behavior.

The error messages in bash looked like this in my case:

/usr/share/modules/init/bash: eval: line 42: syntax error near unexpected token `('
/usr/share/modules/init/bash: eval: line 42: ` Dropbox (groupname) set +x; _mlshdbg='x' ;;'
/usr/share/modules/init/bash: line 58: export: _moduleraw: not a function
/usr/share/modules/init/bash: line 60: export: module: not a function

I am running "environment 4.1.1-1" on Ubuntu 18.04.1 LTS.

Putting quotes around the returned value from modulecmd.tcl fixes the issue, e.g. in the case of bash /usr/share/modules/init/bash, line 36 (or close by), should look like this:

eval "`${_mlre:-}/usr/bin/tclsh /usr/lib/x86_64-linux-gnu/modulecmd.tcl bash autoinit`"