Showing 178 of 178 total issues
Double quote to prevent globbing and word splitting. Open
eval trans block_example_group ${1+'"$@"'}
- Read upRead up
- Exclude checks
Double quote to prevent globbing and word splitting.
Problematic code:
echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done
Correct code:
echo "$1"
for i in "$@"; do :; done # or, 'for i; do'
Rationale
The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."
The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.
Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.
Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:
$HOME/$dir/dist/bin/$file # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file" # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file" # Canonical quoting (good)
When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c"
will not expand, but "$HOME/$dir/src"/*.c
will.
Note that $( )
starts a new context, and variables in it have to be quoted independently:
echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"
Exceptions
Sometimes you want to split on spaces, like when building a command line:
options="-j 5 -B"
make $options file
Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):
options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file
or a function (POSIX):
make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file
To split on spaces but not perform glob expansion, Posix has a set -f
to disable globbing. You can disable word splitting by setting IFS=''
.
Similarly, you might want an optional argument:
debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script
Quoting this doesn't work, since in the default case, "$debug"
would expand to one empty argument while $debug
would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:
debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script
This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}
.
As always, this warning can be [[ignore]]d on a case-by-case basis.
this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...
FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
In POSIX sh, 'typeset' is undefined. Open
typeset -f "$1" >/dev/null 2>&1 || return 0
- Read upRead up
- Exclude checks
In POSIX sh, something is undefined.
You have declared that your script works with /bin/sh
, but you are using features that have undefined behavior according to the POSIX specification.
It may currently work for you, but it can or will fail on other OS, the same OS with different configurations, from different contexts (like initramfs/chroot), or in different versions of the same OS, including future updates to your current system.
Either declare that your script requires a specific shell like #!/bin/bash
or #!/bin/dash
, or rewrite the script in a portable way.
For help with rewrites, the Ubuntu wiki has a list of portability issues that broke people's #!/bin/sh
scripts when Ubuntu switched from Bash to Dash. See also Bashism on wooledge's wiki. ShellCheck may not warn about all these issues.
$'c-style-escapes'
bash, ksh:
a=$' \t\n'
POSIX:
a="$(printf '%b_' ' \t\n')"; a="${a%_}" # protect trailing \n
Want some good news? See http://austingroupbugs.net/view.php?id=249#c590.
$"msgid"
Bash:
echo $"foo $(bar) baz"
POSIX:
. gettext.sh # GNU Gettext sh library
# ...
barout=$(bar)
eval_gettext 'foo $barout baz' # See GNU Gettext doc for more info.
Or you can change them to normal double quotes so you go without gettext
.
Arithmetic for
loops
Bash:
for ((init; test; next)); do foo; done
POSIX:
: $((init))
while [ $((test)) -ne 0 ]; do foo; : $((next)); done
Arithmetic exponentiation
Bash:
printf "%s\n" "$(( 2**63 ))"
POSIX:
The POSIX standard does not allow for exponents. However, you can replicate them completely built-in using a POSIX compatible function. As an example, the pow
function from here.
pow () {
set "$1" "$2" 1
while [ "$2" -gt 0 ]; do
set "$1" $(($2-1)) $(($1*$3))
done
# %d = signed decimal, %u = unsigned decimal
# Either should overflow to 0
printf "%d\n" "$3"
}
To compare:
$ echo "$(( 2**62 ))"
4611686018427387904
$ pow 2 62
4611686018427387904
Alternatively, if you don't mind using an external program, you can use bc
. Be aware though: bash
and other programs may abide by a certain maximum integer that bc
does not (for bash
that's: 64-bit signed long int, failing back to 32-bit signed long int).
Example:
# Note the overflow that gives a negative number
$ echo "$(( 2**63 ))"
-9223372036854775808
# No such problem
$ echo 2^63 | bc
9223372036854775808
# 'bc' just keeps on going
$ echo 2^1280 | bc
20815864389328798163850480654728171077230524494533409610638224700807\
21611934672059602447888346464836968484322790856201558276713249664692\
98162798132113546415258482590187784406915463666993231671009459188410\
95379622423387354295096957733925002768876520583464697770622321657076\
83317005651120933244966378183760369413644440628104205339687097746591\
6057756101739472373801429441421111406337458176
standalone ((..))
Bash:
((a=c+d))
((d)) && echo d is true.
POSIX:
: $((a=c+d)) # discard the output of the arith expn with `:` command
[ $((d)) -ne 0 ] && echo d is true. # manually check non-zero => true
select
loops
It takes extra care over terminal columns to make select loop look like bash's, which generates a list with multiple items on one line, or like ls
.
It is, however, still possible to make a naive translation for select foo in bar baz; do eat; done
:
while
_i=0 _foo= foo=
for _name in bar baz; do echo "$((_i+=1))) $_name"; done
printf '$# '; read _foo
do
case _foo in 1) foo=bar;; 2) foo=baz;; *) continue;; esac
eat
done
Here-strings
Bash, ksh:
grep aaa <<< "$g"
POSIX:
# not exactly the same -- <<< adds a trailing \n if $g doesn't end with \n
printf '%s' "$g" | grep aaa
echo flags
See https://unix.stackexchange.com/tags/echo/info.
${var/pat/replacement}
Bash:
echo "${TERM/%-256*}"
POSIX:
echo "$TERM" | sed -e 's/-256.*$//g'
# Special case for this since we are matching the end:
echo "${TERM%-256*}"
printf %q
Bash:
printf '%q ' "$@"
POSIX:
# TODO: Interpret it back to printf escapes for hard-to-copy chars like \t?
# See also: http://git.savannah.gnu.org/cgit/libtool.git/tree/gl/build-aux/funclib.sh?id=c60e054#n1029
reuse_quote()(
for i; do
__i_quote=$(printf '%s\n' "$i" | sed -e "s/'/'\\\\''/g"; echo x)
printf "'%s'" "${__i_quote%x}"
done
)
reuse_quote "$@"
Exception
Depends on what your expected POSIX shell providers would use.
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Double quote to prevent globbing and word splitting. Open
eval shellspec_syntax_dispatch modifier ${1+'"$@"'}
- Read upRead up
- Exclude checks
Double quote to prevent globbing and word splitting.
Problematic code:
echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done
Correct code:
echo "$1"
for i in "$@"; do :; done # or, 'for i; do'
Rationale
The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."
The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.
Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.
Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:
$HOME/$dir/dist/bin/$file # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file" # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file" # Canonical quoting (good)
When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c"
will not expand, but "$HOME/$dir/src"/*.c
will.
Note that $( )
starts a new context, and variables in it have to be quoted independently:
echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"
Exceptions
Sometimes you want to split on spaces, like when building a command line:
options="-j 5 -B"
make $options file
Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):
options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file
or a function (POSIX):
make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file
To split on spaces but not perform glob expansion, Posix has a set -f
to disable globbing. You can disable word splitting by setting IFS=''
.
Similarly, you might want an optional argument:
debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script
Quoting this doesn't work, since in the default case, "$debug"
would expand to one empty argument while $debug
would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:
debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script
This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}
.
As always, this warning can be [[ignore]]d on a case-by-case basis.
this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...
FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Can't follow non-constant source. Use a directive to specify location. Open
. "$SHELLSPEC_SUPPORT_BIN"
- Read upRead up
- Exclude checks
Can't follow non-constant source. Use a directive to specify location.
Problematic code:
. "$(find_install_dir)/lib.sh"
Correct code:
# shellcheck source=src/lib.sh
. "$(find_install_dir)/lib.sh"
Rationale:
ShellCheck is not able to include sourced files from paths that are determined at runtime. The file will not be read, potentially resulting in warnings about unassigned variables and similar.
Use a [[Directive]] to point shellcheck to a fixed location it can read instead.
Exceptions:
If you don't care that ShellCheck is unable to account for the file, specify # shellcheck source=/dev/null
.
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Don't use variables in the printf format string. Use printf "..%s.." "$foo". Open
printf "${color}##############################\n\033[m"
- Read upRead up
- Exclude checks
Don't use variables in the printf format string. Use printf "..%s.." "$foo".
Problematic code:
printf "Hello, $NAME\n"
Correct code:
printf "Hello, %s\n" "$NAME"
Rationale:
printf
interprets escape sequences and format specifiers in the format string. If variables are included, any escape sequences or format specifiers in the data will be interpreted too, when you most likely wanted to treat it as data. Example:
coverage='96%'
printf "Unit test coverage: %s\n" "$coverage"
printf "Unit test coverage: $coverage\n"
The first printf writes Unit test coverage: 96%
.
The second writes bash: printf: `\': invalid format character
Exceptions
Sometimes you may actually want to interpret data as a format string, like in:
hexToAscii() { printf "\x$1"; }
hexToAscii 21
or when you have a pattern in a variable:
filepattern="file-%d.jpg"
printf -v filename "$filepattern" "$number"
These are valid use cases with no useful rewrites. Please [[ignore]] the warnings with a [[directive]].
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
pre was modified in a subshell. That change might be lost. Open
git_remote_tags "${PRE:+--pre}"
- Read upRead up
- Exclude checks
var was modified in a subshell. That change might be lost.
Problematic code:
There are many ways of accidentally creating subshells, but a common one is piping to a loop:
n=0
printf "%s\n" {1..10} | while read i; do (( n+=i )); done
echo $n
Correct code:
# Bash specific: process substitution. Also try shopts like lastpipe.
n=0
while read i; do (( n+=i )); done < <(printf "%s\n" {1..10})
echo $n
In sh
, a temp file (better if fifo or fd) can be used instead of process substitution. And if it's acceptable to do it with waiting, try Here Documents.
Rationale:
Variables set in subshells are not available outside the subshell. This is a wide topic, and better described on the Wooledge Bash Wiki.
Here are some constructs that cause subshells (shellcheck may not warn about all of them). In each case, you can replace subshell1
by a command or function that sets a variable, e.g. simply var=foo
, and the variable will appear to be unset after the command is run. Similarly, you can replace regular
with var=foo
, and it will be set afterwards:
Pipelines:
subshell1 | subshell2 | subshell3 # Bash, Dash, Ash
subshell1 | subshell2 | regular # Ksh, Zsh
Command substitution:
regular "$(subshell1)" "`subshell2`"
Process substitution:
regular <(subshell1) >(subshell2)
Some forms of grouping:
( subshell )
{ regular; }
Backgrounding:
subshell1 &
subshell2 &
Anything executed by external processes:
find . -exec subshell1 {} \;
find . -print0 | xargs -0 subshell2
sudo subshell3
su -c subshell4
This applies not only to setting variables, but also setting shell options and changing directories.
Exceptions
You can ignore this error if you don't care that the changes aren't reflected, because work on the value branches and shouldn't be recombined.
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
In POSIX sh, 'typeset' is undefined. Open
elif ( typeset -r .sh >/dev/null 2>&1 ); then
- Read upRead up
- Exclude checks
In POSIX sh, something is undefined.
You have declared that your script works with /bin/sh
, but you are using features that have undefined behavior according to the POSIX specification.
It may currently work for you, but it can or will fail on other OS, the same OS with different configurations, from different contexts (like initramfs/chroot), or in different versions of the same OS, including future updates to your current system.
Either declare that your script requires a specific shell like #!/bin/bash
or #!/bin/dash
, or rewrite the script in a portable way.
For help with rewrites, the Ubuntu wiki has a list of portability issues that broke people's #!/bin/sh
scripts when Ubuntu switched from Bash to Dash. See also Bashism on wooledge's wiki. ShellCheck may not warn about all these issues.
$'c-style-escapes'
bash, ksh:
a=$' \t\n'
POSIX:
a="$(printf '%b_' ' \t\n')"; a="${a%_}" # protect trailing \n
Want some good news? See http://austingroupbugs.net/view.php?id=249#c590.
$"msgid"
Bash:
echo $"foo $(bar) baz"
POSIX:
. gettext.sh # GNU Gettext sh library
# ...
barout=$(bar)
eval_gettext 'foo $barout baz' # See GNU Gettext doc for more info.
Or you can change them to normal double quotes so you go without gettext
.
Arithmetic for
loops
Bash:
for ((init; test; next)); do foo; done
POSIX:
: $((init))
while [ $((test)) -ne 0 ]; do foo; : $((next)); done
Arithmetic exponentiation
Bash:
printf "%s\n" "$(( 2**63 ))"
POSIX:
The POSIX standard does not allow for exponents. However, you can replicate them completely built-in using a POSIX compatible function. As an example, the pow
function from here.
pow () {
set "$1" "$2" 1
while [ "$2" -gt 0 ]; do
set "$1" $(($2-1)) $(($1*$3))
done
# %d = signed decimal, %u = unsigned decimal
# Either should overflow to 0
printf "%d\n" "$3"
}
To compare:
$ echo "$(( 2**62 ))"
4611686018427387904
$ pow 2 62
4611686018427387904
Alternatively, if you don't mind using an external program, you can use bc
. Be aware though: bash
and other programs may abide by a certain maximum integer that bc
does not (for bash
that's: 64-bit signed long int, failing back to 32-bit signed long int).
Example:
# Note the overflow that gives a negative number
$ echo "$(( 2**63 ))"
-9223372036854775808
# No such problem
$ echo 2^63 | bc
9223372036854775808
# 'bc' just keeps on going
$ echo 2^1280 | bc
20815864389328798163850480654728171077230524494533409610638224700807\
21611934672059602447888346464836968484322790856201558276713249664692\
98162798132113546415258482590187784406915463666993231671009459188410\
95379622423387354295096957733925002768876520583464697770622321657076\
83317005651120933244966378183760369413644440628104205339687097746591\
6057756101739472373801429441421111406337458176
standalone ((..))
Bash:
((a=c+d))
((d)) && echo d is true.
POSIX:
: $((a=c+d)) # discard the output of the arith expn with `:` command
[ $((d)) -ne 0 ] && echo d is true. # manually check non-zero => true
select
loops
It takes extra care over terminal columns to make select loop look like bash's, which generates a list with multiple items on one line, or like ls
.
It is, however, still possible to make a naive translation for select foo in bar baz; do eat; done
:
while
_i=0 _foo= foo=
for _name in bar baz; do echo "$((_i+=1))) $_name"; done
printf '$# '; read _foo
do
case _foo in 1) foo=bar;; 2) foo=baz;; *) continue;; esac
eat
done
Here-strings
Bash, ksh:
grep aaa <<< "$g"
POSIX:
# not exactly the same -- <<< adds a trailing \n if $g doesn't end with \n
printf '%s' "$g" | grep aaa
echo flags
See https://unix.stackexchange.com/tags/echo/info.
${var/pat/replacement}
Bash:
echo "${TERM/%-256*}"
POSIX:
echo "$TERM" | sed -e 's/-256.*$//g'
# Special case for this since we are matching the end:
echo "${TERM%-256*}"
printf %q
Bash:
printf '%q ' "$@"
POSIX:
# TODO: Interpret it back to printf escapes for hard-to-copy chars like \t?
# See also: http://git.savannah.gnu.org/cgit/libtool.git/tree/gl/build-aux/funclib.sh?id=c60e054#n1029
reuse_quote()(
for i; do
__i_quote=$(printf '%s\n' "$i" | sed -e "s/'/'\\\\''/g"; echo x)
printf "'%s'" "${__i_quote%x}"
done
)
reuse_quote "$@"
Exception
Depends on what your expected POSIX shell providers would use.
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
In POSIX sh, ulimit -t is undefined. Open
ulimit -t unlimited || exit 1
- Read upRead up
- Exclude checks
In POSIX sh, something is undefined.
You have declared that your script works with /bin/sh
, but you are using features that have undefined behavior according to the POSIX specification.
It may currently work for you, but it can or will fail on other OS, the same OS with different configurations, from different contexts (like initramfs/chroot), or in different versions of the same OS, including future updates to your current system.
Either declare that your script requires a specific shell like #!/bin/bash
or #!/bin/dash
, or rewrite the script in a portable way.
For help with rewrites, the Ubuntu wiki has a list of portability issues that broke people's #!/bin/sh
scripts when Ubuntu switched from Bash to Dash. See also Bashism on wooledge's wiki. ShellCheck may not warn about all these issues.
$'c-style-escapes'
bash, ksh:
a=$' \t\n'
POSIX:
a="$(printf '%b_' ' \t\n')"; a="${a%_}" # protect trailing \n
Want some good news? See http://austingroupbugs.net/view.php?id=249#c590.
$"msgid"
Bash:
echo $"foo $(bar) baz"
POSIX:
. gettext.sh # GNU Gettext sh library
# ...
barout=$(bar)
eval_gettext 'foo $barout baz' # See GNU Gettext doc for more info.
Or you can change them to normal double quotes so you go without gettext
.
Arithmetic for
loops
Bash:
for ((init; test; next)); do foo; done
POSIX:
: $((init))
while [ $((test)) -ne 0 ]; do foo; : $((next)); done
Arithmetic exponentiation
Bash:
printf "%s\n" "$(( 2**63 ))"
POSIX:
The POSIX standard does not allow for exponents. However, you can replicate them completely built-in using a POSIX compatible function. As an example, the pow
function from here.
pow () {
set "$1" "$2" 1
while [ "$2" -gt 0 ]; do
set "$1" $(($2-1)) $(($1*$3))
done
# %d = signed decimal, %u = unsigned decimal
# Either should overflow to 0
printf "%d\n" "$3"
}
To compare:
$ echo "$(( 2**62 ))"
4611686018427387904
$ pow 2 62
4611686018427387904
Alternatively, if you don't mind using an external program, you can use bc
. Be aware though: bash
and other programs may abide by a certain maximum integer that bc
does not (for bash
that's: 64-bit signed long int, failing back to 32-bit signed long int).
Example:
# Note the overflow that gives a negative number
$ echo "$(( 2**63 ))"
-9223372036854775808
# No such problem
$ echo 2^63 | bc
9223372036854775808
# 'bc' just keeps on going
$ echo 2^1280 | bc
20815864389328798163850480654728171077230524494533409610638224700807\
21611934672059602447888346464836968484322790856201558276713249664692\
98162798132113546415258482590187784406915463666993231671009459188410\
95379622423387354295096957733925002768876520583464697770622321657076\
83317005651120933244966378183760369413644440628104205339687097746591\
6057756101739472373801429441421111406337458176
standalone ((..))
Bash:
((a=c+d))
((d)) && echo d is true.
POSIX:
: $((a=c+d)) # discard the output of the arith expn with `:` command
[ $((d)) -ne 0 ] && echo d is true. # manually check non-zero => true
select
loops
It takes extra care over terminal columns to make select loop look like bash's, which generates a list with multiple items on one line, or like ls
.
It is, however, still possible to make a naive translation for select foo in bar baz; do eat; done
:
while
_i=0 _foo= foo=
for _name in bar baz; do echo "$((_i+=1))) $_name"; done
printf '$# '; read _foo
do
case _foo in 1) foo=bar;; 2) foo=baz;; *) continue;; esac
eat
done
Here-strings
Bash, ksh:
grep aaa <<< "$g"
POSIX:
# not exactly the same -- <<< adds a trailing \n if $g doesn't end with \n
printf '%s' "$g" | grep aaa
echo flags
See https://unix.stackexchange.com/tags/echo/info.
${var/pat/replacement}
Bash:
echo "${TERM/%-256*}"
POSIX:
echo "$TERM" | sed -e 's/-256.*$//g'
# Special case for this since we are matching the end:
echo "${TERM%-256*}"
printf %q
Bash:
printf '%q ' "$@"
POSIX:
# TODO: Interpret it back to printf escapes for hard-to-copy chars like \t?
# See also: http://git.savannah.gnu.org/cgit/libtool.git/tree/gl/build-aux/funclib.sh?id=c60e054#n1029
reuse_quote()(
for i; do
__i_quote=$(printf '%s\n' "$i" | sed -e "s/'/'\\\\''/g"; echo x)
printf "'%s'" "${__i_quote%x}"
done
)
reuse_quote "$@"
Exception
Depends on what your expected POSIX shell providers would use.
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Double quote to prevent globbing and word splitting. Open
eval trans mock_begin ${1+'"$@"'}
- Read upRead up
- Exclude checks
Double quote to prevent globbing and word splitting.
Problematic code:
echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done
Correct code:
echo "$1"
for i in "$@"; do :; done # or, 'for i; do'
Rationale
The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."
The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.
Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.
Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:
$HOME/$dir/dist/bin/$file # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file" # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file" # Canonical quoting (good)
When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c"
will not expand, but "$HOME/$dir/src"/*.c
will.
Note that $( )
starts a new context, and variables in it have to be quoted independently:
echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"
Exceptions
Sometimes you want to split on spaces, like when building a command line:
options="-j 5 -B"
make $options file
Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):
options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file
or a function (POSIX):
make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file
To split on spaces but not perform glob expansion, Posix has a set -f
to disable globbing. You can disable word splitting by setting IFS=''
.
Similarly, you might want an optional argument:
debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script
Quoting this doesn't work, since in the default case, "$debug"
would expand to one empty argument while $debug
would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:
debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script
This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}
.
As always, this warning can be [[ignore]]d on a case-by-case basis.
this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...
FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Double quote to prevent globbing and word splitting. Open
eval count_specfiles count ${1+'"$@"'}
- Read upRead up
- Exclude checks
Double quote to prevent globbing and word splitting.
Problematic code:
echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done
Correct code:
echo "$1"
for i in "$@"; do :; done # or, 'for i; do'
Rationale
The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."
The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.
Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.
Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:
$HOME/$dir/dist/bin/$file # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file" # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file" # Canonical quoting (good)
When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c"
will not expand, but "$HOME/$dir/src"/*.c
will.
Note that $( )
starts a new context, and variables in it have to be quoted independently:
echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"
Exceptions
Sometimes you want to split on spaces, like when building a command line:
options="-j 5 -B"
make $options file
Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):
options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file
or a function (POSIX):
make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file
To split on spaces but not perform glob expansion, Posix has a set -f
to disable globbing. You can disable word splitting by setting IFS=''
.
Similarly, you might want an optional argument:
debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script
Quoting this doesn't work, since in the default case, "$debug"
would expand to one empty argument while $debug
would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:
debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script
This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}
.
As always, this warning can be [[ignore]]d on a case-by-case basis.
this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...
FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Double quote to prevent globbing and word splitting. Open
shift 3; eval 'set -- "${OPTARG# }"' ${1+'"$@"'}; OPTARG= ;;
- Read upRead up
- Exclude checks
Double quote to prevent globbing and word splitting.
Problematic code:
echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done
Correct code:
echo "$1"
for i in "$@"; do :; done # or, 'for i; do'
Rationale
The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."
The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.
Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.
Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:
$HOME/$dir/dist/bin/$file # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file" # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file" # Canonical quoting (good)
When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c"
will not expand, but "$HOME/$dir/src"/*.c
will.
Note that $( )
starts a new context, and variables in it have to be quoted independently:
echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"
Exceptions
Sometimes you want to split on spaces, like when building a command line:
options="-j 5 -B"
make $options file
Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):
options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file
or a function (POSIX):
make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file
To split on spaces but not perform glob expansion, Posix has a set -f
to disable globbing. You can disable word splitting by setting IFS=''
.
Similarly, you might want an optional argument:
debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script
Quoting this doesn't work, since in the default case, "$debug"
would expand to one empty argument while $debug
would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:
debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script
This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}
.
As always, this warning can be [[ignore]]d on a case-by-case basis.
this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...
FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
In POSIX sh, 'shopt' is undefined. Open
shopt -u verbose_errexit 2>/dev/null ||:
- Read upRead up
- Exclude checks
In POSIX sh, something is undefined.
You have declared that your script works with /bin/sh
, but you are using features that have undefined behavior according to the POSIX specification.
It may currently work for you, but it can or will fail on other OS, the same OS with different configurations, from different contexts (like initramfs/chroot), or in different versions of the same OS, including future updates to your current system.
Either declare that your script requires a specific shell like #!/bin/bash
or #!/bin/dash
, or rewrite the script in a portable way.
For help with rewrites, the Ubuntu wiki has a list of portability issues that broke people's #!/bin/sh
scripts when Ubuntu switched from Bash to Dash. See also Bashism on wooledge's wiki. ShellCheck may not warn about all these issues.
$'c-style-escapes'
bash, ksh:
a=$' \t\n'
POSIX:
a="$(printf '%b_' ' \t\n')"; a="${a%_}" # protect trailing \n
Want some good news? See http://austingroupbugs.net/view.php?id=249#c590.
$"msgid"
Bash:
echo $"foo $(bar) baz"
POSIX:
. gettext.sh # GNU Gettext sh library
# ...
barout=$(bar)
eval_gettext 'foo $barout baz' # See GNU Gettext doc for more info.
Or you can change them to normal double quotes so you go without gettext
.
Arithmetic for
loops
Bash:
for ((init; test; next)); do foo; done
POSIX:
: $((init))
while [ $((test)) -ne 0 ]; do foo; : $((next)); done
Arithmetic exponentiation
Bash:
printf "%s\n" "$(( 2**63 ))"
POSIX:
The POSIX standard does not allow for exponents. However, you can replicate them completely built-in using a POSIX compatible function. As an example, the pow
function from here.
pow () {
set "$1" "$2" 1
while [ "$2" -gt 0 ]; do
set "$1" $(($2-1)) $(($1*$3))
done
# %d = signed decimal, %u = unsigned decimal
# Either should overflow to 0
printf "%d\n" "$3"
}
To compare:
$ echo "$(( 2**62 ))"
4611686018427387904
$ pow 2 62
4611686018427387904
Alternatively, if you don't mind using an external program, you can use bc
. Be aware though: bash
and other programs may abide by a certain maximum integer that bc
does not (for bash
that's: 64-bit signed long int, failing back to 32-bit signed long int).
Example:
# Note the overflow that gives a negative number
$ echo "$(( 2**63 ))"
-9223372036854775808
# No such problem
$ echo 2^63 | bc
9223372036854775808
# 'bc' just keeps on going
$ echo 2^1280 | bc
20815864389328798163850480654728171077230524494533409610638224700807\
21611934672059602447888346464836968484322790856201558276713249664692\
98162798132113546415258482590187784406915463666993231671009459188410\
95379622423387354295096957733925002768876520583464697770622321657076\
83317005651120933244966378183760369413644440628104205339687097746591\
6057756101739472373801429441421111406337458176
standalone ((..))
Bash:
((a=c+d))
((d)) && echo d is true.
POSIX:
: $((a=c+d)) # discard the output of the arith expn with `:` command
[ $((d)) -ne 0 ] && echo d is true. # manually check non-zero => true
select
loops
It takes extra care over terminal columns to make select loop look like bash's, which generates a list with multiple items on one line, or like ls
.
It is, however, still possible to make a naive translation for select foo in bar baz; do eat; done
:
while
_i=0 _foo= foo=
for _name in bar baz; do echo "$((_i+=1))) $_name"; done
printf '$# '; read _foo
do
case _foo in 1) foo=bar;; 2) foo=baz;; *) continue;; esac
eat
done
Here-strings
Bash, ksh:
grep aaa <<< "$g"
POSIX:
# not exactly the same -- <<< adds a trailing \n if $g doesn't end with \n
printf '%s' "$g" | grep aaa
echo flags
See https://unix.stackexchange.com/tags/echo/info.
${var/pat/replacement}
Bash:
echo "${TERM/%-256*}"
POSIX:
echo "$TERM" | sed -e 's/-256.*$//g'
# Special case for this since we are matching the end:
echo "${TERM%-256*}"
printf %q
Bash:
printf '%q ' "$@"
POSIX:
# TODO: Interpret it back to printf escapes for hard-to-copy chars like \t?
# See also: http://git.savannah.gnu.org/cgit/libtool.git/tree/gl/build-aux/funclib.sh?id=c60e054#n1029
reuse_quote()(
for i; do
__i_quote=$(printf '%s\n' "$i" | sed -e "s/'/'\\\\''/g"; echo x)
printf "'%s'" "${__i_quote%x}"
done
)
reuse_quote "$@"
Exception
Depends on what your expected POSIX shell providers would use.
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
In POSIX sh, 'builtin' is undefined. Open
builtin echo -n -; builtin echo -n n; return 0
- Read upRead up
- Exclude checks
In POSIX sh, something is undefined.
You have declared that your script works with /bin/sh
, but you are using features that have undefined behavior according to the POSIX specification.
It may currently work for you, but it can or will fail on other OS, the same OS with different configurations, from different contexts (like initramfs/chroot), or in different versions of the same OS, including future updates to your current system.
Either declare that your script requires a specific shell like #!/bin/bash
or #!/bin/dash
, or rewrite the script in a portable way.
For help with rewrites, the Ubuntu wiki has a list of portability issues that broke people's #!/bin/sh
scripts when Ubuntu switched from Bash to Dash. See also Bashism on wooledge's wiki. ShellCheck may not warn about all these issues.
$'c-style-escapes'
bash, ksh:
a=$' \t\n'
POSIX:
a="$(printf '%b_' ' \t\n')"; a="${a%_}" # protect trailing \n
Want some good news? See http://austingroupbugs.net/view.php?id=249#c590.
$"msgid"
Bash:
echo $"foo $(bar) baz"
POSIX:
. gettext.sh # GNU Gettext sh library
# ...
barout=$(bar)
eval_gettext 'foo $barout baz' # See GNU Gettext doc for more info.
Or you can change them to normal double quotes so you go without gettext
.
Arithmetic for
loops
Bash:
for ((init; test; next)); do foo; done
POSIX:
: $((init))
while [ $((test)) -ne 0 ]; do foo; : $((next)); done
Arithmetic exponentiation
Bash:
printf "%s\n" "$(( 2**63 ))"
POSIX:
The POSIX standard does not allow for exponents. However, you can replicate them completely built-in using a POSIX compatible function. As an example, the pow
function from here.
pow () {
set "$1" "$2" 1
while [ "$2" -gt 0 ]; do
set "$1" $(($2-1)) $(($1*$3))
done
# %d = signed decimal, %u = unsigned decimal
# Either should overflow to 0
printf "%d\n" "$3"
}
To compare:
$ echo "$(( 2**62 ))"
4611686018427387904
$ pow 2 62
4611686018427387904
Alternatively, if you don't mind using an external program, you can use bc
. Be aware though: bash
and other programs may abide by a certain maximum integer that bc
does not (for bash
that's: 64-bit signed long int, failing back to 32-bit signed long int).
Example:
# Note the overflow that gives a negative number
$ echo "$(( 2**63 ))"
-9223372036854775808
# No such problem
$ echo 2^63 | bc
9223372036854775808
# 'bc' just keeps on going
$ echo 2^1280 | bc
20815864389328798163850480654728171077230524494533409610638224700807\
21611934672059602447888346464836968484322790856201558276713249664692\
98162798132113546415258482590187784406915463666993231671009459188410\
95379622423387354295096957733925002768876520583464697770622321657076\
83317005651120933244966378183760369413644440628104205339687097746591\
6057756101739472373801429441421111406337458176
standalone ((..))
Bash:
((a=c+d))
((d)) && echo d is true.
POSIX:
: $((a=c+d)) # discard the output of the arith expn with `:` command
[ $((d)) -ne 0 ] && echo d is true. # manually check non-zero => true
select
loops
It takes extra care over terminal columns to make select loop look like bash's, which generates a list with multiple items on one line, or like ls
.
It is, however, still possible to make a naive translation for select foo in bar baz; do eat; done
:
while
_i=0 _foo= foo=
for _name in bar baz; do echo "$((_i+=1))) $_name"; done
printf '$# '; read _foo
do
case _foo in 1) foo=bar;; 2) foo=baz;; *) continue;; esac
eat
done
Here-strings
Bash, ksh:
grep aaa <<< "$g"
POSIX:
# not exactly the same -- <<< adds a trailing \n if $g doesn't end with \n
printf '%s' "$g" | grep aaa
echo flags
See https://unix.stackexchange.com/tags/echo/info.
${var/pat/replacement}
Bash:
echo "${TERM/%-256*}"
POSIX:
echo "$TERM" | sed -e 's/-256.*$//g'
# Special case for this since we are matching the end:
echo "${TERM%-256*}"
printf %q
Bash:
printf '%q ' "$@"
POSIX:
# TODO: Interpret it back to printf escapes for hard-to-copy chars like \t?
# See also: http://git.savannah.gnu.org/cgit/libtool.git/tree/gl/build-aux/funclib.sh?id=c60e054#n1029
reuse_quote()(
for i; do
__i_quote=$(printf '%s\n' "$i" | sed -e "s/'/'\\\\''/g"; echo x)
printf "'%s'" "${__i_quote%x}"
done
)
reuse_quote "$@"
Exception
Depends on what your expected POSIX shell providers would use.
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
This word is outside of quotes. Did you intend to 'nest '"'single quotes'"' instead'? Open
"\\':\\\\'" '\ :\\ ' '\&:\\&' '\=:\\=' '\<:\\<' '\>:\\>' '\;:\\;' '\^:\\^'\
- Read upRead up
- Exclude checks
This word is outside of quotes. Did you intend to 'nest '"'single quotes'"'
instead'?
Problematic code:
alias server_uptime='ssh $host 'uptime -p''
Correct code:
alias server_uptime='ssh $host '"'uptime -p'"
Rationale:
In the first case, the user has four single quotes on a line, wishfully hoping that the shell will match them up as outer quotes around a string with literal single quotes:
# v--------match--------v
alias server_uptime='ssh $host 'uptime -p''
# ^--match--^
The shell, meanwhile, always terminates single quoted strings at the first possible single quote:
# v---match--v
alias server_uptime='ssh $host 'uptime -p''
# ^^
Which is the same thing as alias server_uptime='ssh $host uptime' -p
.
There is no way to nest single quotes. However, single quotes can be placed literally in double quotes, so we can instead concatenate a single quoted string and a double quoted string:
# v--match---v
alias server_uptime='ssh $host '"'uptime -p'"
# ^---match---^
This results in an alias with embedded single quotes.
Exceptions
None.
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Double quote to prevent globbing and word splitting. Open
eval shellspec_join SHELLSPEC_EXPECTATION '" "' The ${1+'"$@"'}
- Read upRead up
- Exclude checks
Double quote to prevent globbing and word splitting.
Problematic code:
echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done
Correct code:
echo "$1"
for i in "$@"; do :; done # or, 'for i; do'
Rationale
The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."
The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.
Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.
Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:
$HOME/$dir/dist/bin/$file # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file" # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file" # Canonical quoting (good)
When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c"
will not expand, but "$HOME/$dir/src"/*.c
will.
Note that $( )
starts a new context, and variables in it have to be quoted independently:
echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"
Exceptions
Sometimes you want to split on spaces, like when building a command line:
options="-j 5 -B"
make $options file
Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):
options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file
or a function (POSIX):
make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file
To split on spaces but not perform glob expansion, Posix has a set -f
to disable globbing. You can disable word splitting by setting IFS=''
.
Similarly, you might want an optional argument:
debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script
Quoting this doesn't work, since in the default case, "$debug"
would expand to one empty argument while $debug
would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:
debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script
This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}
.
As always, this warning can be [[ignore]]d on a case-by-case basis.
this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...
FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Can't follow non-constant source. Use a directive to specify location. Open
. "$SHELLSPEC_SUPPORT_BIN"
- Read upRead up
- Exclude checks
Can't follow non-constant source. Use a directive to specify location.
Problematic code:
. "$(find_install_dir)/lib.sh"
Correct code:
# shellcheck source=src/lib.sh
. "$(find_install_dir)/lib.sh"
Rationale:
ShellCheck is not able to include sourced files from paths that are determined at runtime. The file will not be read, potentially resulting in warnings about unassigned variables and similar.
Use a [[Directive]] to point shellcheck to a fixed location it can read instead.
Exceptions:
If you don't care that ShellCheck is unable to account for the file, specify # shellcheck source=/dev/null
.
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Double quote to prevent globbing and word splitting. Open
done 2>/dev/null; cd "$2" && OLDPWD=$3 && [ ${5+x} ] && printf '%s\n' "$5"
- Read upRead up
- Exclude checks
Double quote to prevent globbing and word splitting.
Problematic code:
echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done
Correct code:
echo "$1"
for i in "$@"; do :; done # or, 'for i; do'
Rationale
The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."
The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.
Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.
Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:
$HOME/$dir/dist/bin/$file # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file" # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file" # Canonical quoting (good)
When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c"
will not expand, but "$HOME/$dir/src"/*.c
will.
Note that $( )
starts a new context, and variables in it have to be quoted independently:
echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"
Exceptions
Sometimes you want to split on spaces, like when building a command line:
options="-j 5 -B"
make $options file
Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):
options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file
or a function (POSIX):
make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file
To split on spaces but not perform glob expansion, Posix has a set -f
to disable globbing. You can disable word splitting by setting IFS=''
.
Similarly, you might want an optional argument:
debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script
Quoting this doesn't work, since in the default case, "$debug"
would expand to one empty argument while $debug
would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:
debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script
This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}
.
As always, this warning can be [[ignore]]d on a case-by-case basis.
this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...
FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
GP_HOSTNAME appears unused. Verify it or export it. Open
GP_HOSTNAME=ubuntu
- Read upRead up
- Exclude checks
foo appears unused. Verify it or export it.
Problematic code:
foo=42
echo "$FOO"
Correct code:
foo=42
echo "$foo"
Rationale:
Variables not used for anything are often associated with bugs, so ShellCheck warns about them.
Also note that something like local let foo=42
does not make a let
statement local -- it instead declares an additional local variable named let
.
Exceptions
ShellCheck may not always realize that the variable is in use (especially with indirection), and may not realize you don't care (with throwaway variables or unimplemented features).
For throwaway variables, consider using _
as a dummy:
read _ last _ zip _ _ <<< "$str"
echo "$last, $zip"
or use a directive to disable the warning:
# shellcheck disable=SC2034
read first last email zip lat lng <<< "$str"
echo "$last, $zip"
For indirection, there's not much you can do without rewriting to use arrays or similar:
bar=42 # will always appear unused
foo=bar
echo "${!foo}"
This is expected behavior, and not a bug. There is no good way to statically analyze indirection in shell scripts, just like static C analyzers have a hard time preventing segfaults.
As always, there are ways to [[ignore]] this and other messages if they frequently get in your way.
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Quote this to prevent word splitting. Open
count source $(sources)
- Read upRead up
- Exclude checks
Quote this to prevent word splitting
Problematic code:
ls -l $(getfilename)
Correct code:
# getfilename outputs 1 file
ls -l "$(getfilename)"
# getfilename outputs multiple files, linefeed separated
getfilename | while IFS='' read -r line
do
ls -l "$line"
done
Rationale:
When command expansions are unquoted, word splitting and globbing will occur. This often manifests itself by breaking when filenames contain spaces.
Trying to fix it by adding quotes or escapes to the data will not work. Instead, quote the command substitution itself.
If the command substitution outputs multiple pieces of data, use a loop instead.
Exceptions
In rare cases you actually want word splitting, such as in
gcc $(pkg-config --libs openssl) client.c
This is because pkg-config
outputs -lssl -lcrypto
, which you want to break up by spaces into -lssl
and -lcrypto
. An alternative is to put the variables to an array and expand it:
args=( $(pkg-config --libs openssl) )
gcc "${args[@]}" client.c
The power of using an array becomes evident when you want to combine, for example, the command result with user-provided arguments:
compile () {
args=( $(pkg-config --libs openssl) "${@}" )
gcc "${args[@]}" client.c
}
compile -DDEBUG
+ gcc -lssl -lcrypto -DDEBUG client.c
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.
Double quote to prevent globbing and word splitting. Open
eval exec "$SHELLSPEC_SHELL" "\"$exec\"" ${1+'"$@"'}
- Read upRead up
- Exclude checks
Double quote to prevent globbing and word splitting.
Problematic code:
echo $1
for i in $*; do :; done # this done and the next one also applies to expanding arrays.
for i in $@; do :; done
Correct code:
echo "$1"
for i in "$@"; do :; done # or, 'for i; do'
Rationale
The first code looks like "print the first argument". It's actually "Split the first argument by IFS (spaces, tabs and line feeds). Expand each of them as if it was a glob. Join all the resulting strings and filenames with spaces. Print the result."
The second one looks like "iterate through all arguments". It's actually "join all the arguments by the first character of IFS (space), split them by IFS and expand each of them as globs, and iterate on the resulting list". The third one skips the joining part.
Quoting variables prevents word splitting and glob expansion, and prevents the script from breaking when input contains spaces, line feeds, glob characters and such.
Strictly speaking, only expansions themselves need to be quoted, but for stylistic reasons, entire arguments with multiple variable and literal parts are often quoted as one:
$HOME/$dir/dist/bin/$file # Unquoted (bad)
"$HOME"/"$dir"/dist/bin/"$file" # Minimal quoting (good)
"$HOME/$dir/dist/bin/$file" # Canonical quoting (good)
When quoting composite arguments, make sure to exclude globs and brace expansions, which lose their special meaning in double quotes: "$HOME/$dir/src/*.c"
will not expand, but "$HOME/$dir/src"/*.c
will.
Note that $( )
starts a new context, and variables in it have to be quoted independently:
echo "This $variable is quoted $(but this $variable is not)"
echo "This $variable is quoted $(and now this "$variable" is too)"
Exceptions
Sometimes you want to split on spaces, like when building a command line:
options="-j 5 -B"
make $options file
Just quoting this doesn't work. Instead, you should have used an array (bash, ksh, zsh):
options=(-j 5 -B) # ksh: set -A options -- -j 5 -B
make "${options[@]}" file
or a function (POSIX):
make_with_flags() { make -j 5 -B "$@"; }
make_with_flags file
To split on spaces but not perform glob expansion, Posix has a set -f
to disable globbing. You can disable word splitting by setting IFS=''
.
Similarly, you might want an optional argument:
debug=""
[[ $1 == "--trace-commands" ]] && debug="-x"
bash $debug script
Quoting this doesn't work, since in the default case, "$debug"
would expand to one empty argument while $debug
would expand into zero arguments. In this case, you can use an array with zero or one elements as outlined above, or you can use an unquoted expansion with an alternate value:
debug=""
[[ $1 == "--trace-commands" ]] && debug="yes"
bash ${debug:+"-x"} script
This is better than an unquoted value because the alternative value can be properly quoted, e.g. wget ${output:+ -o "$output"}
.
As always, this warning can be [[ignore]]d on a case-by-case basis.
this is especially relevant when BASH many not be available for the array work around. For example, use in eval or in command options where script has total control of the variables...
FLAGS="-av -e 'ssh -x' --delete --delete-excluded"
...
# shellcheck disable=SC2086
eval rsync $FLAGS ~/dir remote_host:dir
Notice
Original content from the ShellCheck https://github.com/koalaman/shellcheck/wiki.