If you've been following unix.stackexchange.com for a while, you
should hopefully know by now that leaving a variable
unquoted in list context (as in echo $var) in Bourne/POSIX
shells (zsh being the exception) has a very special meaning and
shouldn't be done unless you have a very good reason to.
It's discussed at length in a number of Q&A here (Examples: Why does my shell script choke on whitespace or other special characters?, When is double-quoting necessary?, Expansion of a shell variable and effect of glob and split on it, Quoted vs unquoted string expansion)
That has been the case since the initial release of the Bourne
shell in the late 70s and hasn't been changed by the Korn shell
(one of David Korn's biggest
regrets (question #7)) or bash which mostly
copied the Korn shell, and that's how that has been specified by POSIX/Unix.
Now, we're still seeing a number of answers here and even occasionally publicly released shell code where variables are not quoted. You'd have thought people would have learnt by now.
In my experience, there are mainly 3 types of people who omit to quote their variables:
beginners. Those can be excused as admittedly it's a completely unintuitive syntax. And it's our role on this site to educate them.
forgetful people.
people who are not convinced even after repeated hammering, who think that surely the Bourne shell author did not intend us to quote all our variables.
Maybe we can convince them if we expose the risk associated with this kind of behaviours.
What's the worst thing thanthat can possibly happen if you forget to quote your variables. Is it really that bad?
What kind of vulnerability are we talking of here?
In what contexts can it be a problem?
