From 433e5c233156544ead4496ce641c264bed76fdac Mon Sep 17 00:00:00 2001
From: koalaman <vidar@vidarholen.net>
Date: Sat, 6 Jan 2018 10:54:23 -0800
Subject: [PATCH] Created SC2223 (markdown)

---
 SC2223.md | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 SC2223.md

diff --git a/SC2223.md b/SC2223.md
new file mode 100644
index 0000000..e6ceb0f
--- /dev/null
+++ b/SC2223.md
@@ -0,0 +1,24 @@
+## This default assignment may cause DoS due to globbing. Quote it.
+
+### Problematic code:
+
+```sh
+: ${COLUMNS:=80}
+```
+
+### Correct code:
+
+```sh
+: "${COLUMNS:=80}"
+```
+### Rationale:
+
+This statement is an idiomatic way of assigning a default value to an environment variable. However, even though it's passed to `:` which ignores arguments, it's better to quote it.
+
+If `COLUMNS='/*/*/*/*/*/*'`, the unquoted, problematic code may spend 30+ minutes trashing the disk as it unnecessarily tries to glob expand the value. 
+
+The correct code uses double quotes to avoid glob expansion, and therefore does not have this problem.
+
+### Exceptions:
+
+None, though this issue is largely theoretical.
\ No newline at end of file