Release v2.0.8 — Temp File, sed Injection & Strict Mode Fixes · AI3I/app_rpt__ultra

What's New in 2.0.8

Seven bugs fixed — all variants of the same root causes identified during the 2.0.7 audit. Drop-in compatible with 2.0.7.

weatheralert.sh: Alert audio temp file vulnerable to fs.protected_regular — /tmp/weather_alert_message.ulaw failed silently after first run once the asterisk cron user owned the file. Moved to ${BASEDIR}/lib/weatheralert_${MYNODE}.ulaw (same fix class as weatherkeeper.sh in 2.0.7).
kerchunkd.sh: PID/lock/state files in /tmp vulnerable to fs.protected_regular — /tmp/kerchunkd.pid, /tmp/kerchunkd.lock, and /tmp/app_rpt_kerchunk/ all moved to ${BASEDIR}/lib/ per-node paths.
statekeeper.sh: State file in /tmp vulnerable to fs.protected_regular — /tmp/app_rpt_last_state moved to ${BASEDIR}/lib/last_state_${MYNODE}.
statekeeper.sh: sed injection via courtesy tone config values — CT config values (e.g. ct/unlinked) containing / corrupted rpt.conf sed expressions silently. All CT variable substitutions now wrapped with escape_sed_replacement().
statekeeper.sh, weatheralert.sh, asterisk.sh, cmdparser.sh, ctkeeper.sh, ctwriter.sh: set -euo pipefail after source common.sh — Errors during common.sh loading were silently ignored. Moved set -euo pipefail before source in all six scripts (same fix as configkeeper.sh in 2.0.7).
msgwriter.sh: xargs cat splits on whitespace — Changed to xargs -d '\n' cat so sound file paths containing spaces are handled correctly.

escape_sed_replacement() promoted from upgrade.sh to common.sh so all scripts have access to it.