Valve fucks up

[$alvador]

http://www.theregister.co.uk/2015/01/17/scary_code_of_the_week_steam_cleans_linux_pcs/

Linux desktop gamers should know of a bug in Valve's Steam client that will, if you're not careful, delete all files on your PC belonging to your regular user account.

According to a bug report filed on GitHub, moving Steam's per-user folder to another location in the filesystem, and then attempting to launch the client may perform the following heart-stopping command: rm -rf /*

code in question:

# figure out the absolute path to the script being run a bit
# non-obvious, the ${0%/*} pulls the path out of $0, cd's into the
# specified directory, then uses $PWD to figure out where that
# directory lives - and all this in a subshell, so we don't affect
# $PWD
STEAMROOT="$(cd "${0%/*}" && echo $PWD)"

# Scary!
rm -rf "$STEAMROOT/"*

So yeah, Steam client for Linux likely a total hack job. Even a novice should know not to do something so insecure. This makes me think that Valve probably outsoured a bunch of the work to freelancers

 

[ᴰᴳᴺ Church of KFC]

Oh god, that's so stupid... I mean, valve sorta needs to step it up, they've been dissapointing their fans way too much.

 

[up-n-atom]

http://www.theregister.co.uk/2015/01/17/scary_code_of_the_week_steam_cleans_linux_pcs/





So yeah, Steam client for Linux likely a total hack job. Even a novice should know not to do something so insecure. This makes me think that Valve probably outsoured a bunch of the work to freelancers

That's what happens with the overzealous use of shell scripts and depending on expected behaviour. I see the comment "Scary!" before that remove, so they knew its inclination. It should've been apparent to check for empty and use the appropriate path tools: basename, readlink, dirname.

 

[$alvador]

yeh it's lazy coding at best, sadly some people don't even bother to think about what can be exploited

 

[MetalLobster]

Valve already outsourced development of CS:GO to Hidden Path Entertainment, so it's not outside their playbook if they really did put off Steam for Linux to a bunch of other people.

 

[amanshotme]

That's what happens with the overzealous use of shell scripts and depending on expected behaviour. I see the comment "Scary!" before that remove, so they knew its inclination. It should've been apparent to check for empty and use the appropriate path tools: basename, readlink, dirname.

The worst part is it doesn't take that much more time or space to add those failsafe checks. I also wonder if they did any proper testing.