security fix for setting env vars

ChangeLog

@@ -32,6 +32,7 @@
 - added im_draw_smudge(), moved im_smudge() / im_smear() to deprecated
 - convolution functions support complex images
 - im_blend() can have any format condition image and it's converted to uchar
+- security fix for vips-7.23 wrapper script (thanks Jay)
 
 12/5/10 started 7.22.2
 - the conditional image of ifthenelse can be any format, a (!=0) is added if

TODO

@@ -1,4 +1,3 @@
-- check gtk-doc output
 
 - maybe im_draw_smudge() is too slow :-( also, we had a sanity failure with
   it, argh
@@ -10,8 +9,6 @@
 
 - how do we wrap inplace ops in C++ now? will checking the RW bit help at all?
 
-- use im__inplace_base() in more places
-
 - consider:
 
 	if( im_check_vector( "im__vector_to_ink", n, im ) )

tools/scripts/vips-7.23

@@ -19,6 +19,20 @@ if [[ $# < 1 ]]; then
 	exit 1
 fi
 
+# prepend a path component to an environment variable
+# be careful to avoid trailing : characters if the var is not defined, they
+# can cause security problems
+function prepend_var () {
+	# we have to use eval to do double indirection, I think
+	eval value=x"\$$1"
+	if [ $value = x ]; then
+		export $1=$2
+	else 
+		eval value="\$$1"
+		export $1=$2:$value
+	fi
+}
+
 # try to extract the prefix from a path to an executable
 # eg. "/home/john/vips/bin/fred" -> "/home/john/vips"
 function find_prefix () {
@@ -92,25 +106,26 @@ fi
 export VIPSHOME=$prefix
 
 # add VIPSHOME to man pages
-export MANPATH=$VIPSHOME/man:$MANPATH
+prepend_var MANPATH $VIPSHOME/man
 
 # add the VIPS lib area to the library path
 case `uname` in
 HPUX)
-	export SHLIB_PATH=$VIPSHOME/lib:$SHLIB_PATH
+	libvar=SHLIB_PATH 
 	;;
 
 Darwin)
-	export DYLD_LIBRARY_PATH=$VIPSHOME/lib:$DYLD_LIBRARY_PATH
+	libvar=DYLD_LIBRARY_PATH
 	;;
  
 *)
-	export LD_LIBRARY_PATH=$VIPSHOME/lib:$LD_LIBRARY_PATH
+	libvar=LD_LIBRARY_PATH
 	;;
 esac
+prepend_var $libvar $VIPSHOME/lib
 
 # add VIPS bin area to path
-export PATH=$VIPSHOME/bin:$PATH
+prepend_var PATH $VIPSHOME/bin
 
 # run, passing in args we were passed
 exec $*