Valve fucks up

$alvador

TD Member
http://www.theregister.co.uk/2015/01/17/scary_code_of_the_week_steam_cleans_linux_pcs/

Linux desktop gamers should know of a bug in Valve's Steam client that will, if you're not careful, delete all files on your PC belonging to your regular user account.

According to a bug report filed on GitHub, moving Steam's per-user folder to another location in the filesystem, and then attempting to launch the client may perform the following heart-stopping command: rm -rf /*

code in question:

Code:
# figure out the absolute path to the script being run a bit
# non-obvious, the ${0%/*} pulls the path out of $0, cd's into the
# specified directory, then uses $PWD to figure out where that
# directory lives - and all this in a subshell, so we don't affect
# $PWD
STEAMROOT="$(cd "${0%/*}" && echo $PWD)"

# Scary!
rm -rf "$STEAMROOT/"*

So yeah, Steam client for Linux likely a total hack job. Even a novice should know not to do something so insecure. This makes me think that Valve probably outsoured a bunch of the work to freelancers
 

up-n-atom

DARKLY Regular
http://www.theregister.co.uk/2015/01/17/scary_code_of_the_week_steam_cleans_linux_pcs/





So yeah, Steam client for Linux likely a total hack job. Even a novice should know not to do something so insecure. This makes me think that Valve probably outsoured a bunch of the work to freelancers

That's what happens with the overzealous use of shell scripts and depending on expected behaviour. I see the comment "Scary!" before that remove, so they knew its inclination. It should've been apparent to check for empty and use the appropriate path tools: basename, readlink, dirname.
 

$alvador

TD Member
yeh it's lazy coding at best, sadly some people don't even bother to think about what can be exploited
 

MetalLobster

TD Admin
Valve already outsourced development of CS:GO to Hidden Path Entertainment, so it's not outside their playbook if they really did put off Steam for Linux to a bunch of other people.
 

amanshotme

TD Member
That's what happens with the overzealous use of shell scripts and depending on expected behaviour. I see the comment "Scary!" before that remove, so they knew its inclination. It should've been apparent to check for empty and use the appropriate path tools: basename, readlink, dirname.


The worst part is it doesn't take that much more time or space to add those failsafe checks. I also wonder if they did any proper testing.
 
Top