From d42a2bc19fb4cfefe6355b91e1530c79d4cd2dda Mon Sep 17 00:00:00 2001
From: Alexandre <44178713+alexbelgium@users.noreply.github.com>
Date: Sat, 5 Jul 2025 12:47:59 +0200
Subject: [PATCH] shell escape

https://github.com/alexbelgium/hassio-addons/issues/1933
---
 .templates/01-config_yaml.sh | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.templates/01-config_yaml.sh b/.templates/01-config_yaml.sh
index fc7cd518e..6bbdee859 100644
--- a/.templates/01-config_yaml.sh
+++ b/.templates/01-config_yaml.sh
@@ -50,6 +50,7 @@ fi
 
 shell_escape() { printf '%q' "$1"; }
 
+# Prints key=value from YAML, ignoring comments/underscored keys
 read_config() {
     local file="$1"
     if $HAS_YQ; then
@@ -80,6 +81,12 @@ get_secret() {
     fi
 }
 
+# Safe double-quote for .env and /etc/environment (bash and python compatible)
+dq_escape() {
+    # Escape only embedded double quotes and dollar signs for shell (not for YAML)
+    printf '%s' "$1" | sed 's/\\/\\\\/g; s/"/\\"/g; s/\$/\\$/g'
+}
+
 while IFS= read -r LINE; do
     [[ -z "$LINE" || "$LINE" != *=* ]] && continue
     KEY="${LINE%%=*}"
@@ -105,7 +112,7 @@ with p.open('a') as f:
 os.environ[k] = v
 PY
     fi
-    env_val="${VALUE//"/\"}"
+    env_val=$(dq_escape "$VALUE")
     printf '%s="%s"\n' "$KEY" "$env_val" >> /.env
     printf '%s="%s"\n' "$KEY" "$env_val" >> /etc/environment
     [[ -d /var/run/s6/container_environment ]] && printf '%s' "$VALUE" > "/var/run/s6/container_environment/$KEY"