rdkcentral · arun-madhavan-013 · Feb 27, 2026 · Feb 27, 2026 · Copilot · Feb 27, 2026
diff --git a/classes/rdkv-community-configs.bbclass b/classes/rdkv-community-configs.bbclass
@@ -23,6 +23,11 @@ install_community_rfc_configs() {
     if [ -f "${MANIFEST_PATH_RDK_IMAGES}/conf/community-rfc-configs.ini" ]; then
         bbnote "Installing community RFC configs..."
         install -D -m 0644 ${MANIFEST_PATH_RDK_IMAGES}/conf/community-rfc-configs.ini ${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
+        if [ -n "${DAC_APPSTORE_URL}" ]; then
+            echo "Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.DAC.ConfigURL=${DAC_APPSTORE_URL}" >> ${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
-            echo "Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.DAC.ConfigURL=${DAC_APPSTORE_URL}" >> ${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
+            # Validate DAC_APPSTORE_URL to avoid unsafe shell characters that could trigger command substitution.
+            if printf '%s' "${DAC_APPSTORE_URL}" | grep -q '[$`]' ; then
+                bbwarn "DAC_APPSTORE_URL contains unsafe characters (\$ or \`). Skipping DAC configuration."
+            else
+                printf 'Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.DAC.ConfigURL=%s\n' "${DAC_APPSTORE_URL}" >> ${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
+            fi
-        install -D -m 0644 ${MANIFEST_PATH_RDK_IMAGES}/conf/community-rfc-configs.ini ${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
-        if [ -n "${DAC_APPSTORE_URL}" ]; then
-            echo "Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.DAC.ConfigURL=${DAC_APPSTORE_URL}" >> ${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
+        config_file=${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
+        install -D -m 0644 ${MANIFEST_PATH_RDK_IMAGES}/conf/community-rfc-configs.ini "${config_file}"
+        if [ -n "${DAC_APPSTORE_URL}" ]; then
+            # Ensure the config file ends with a newline before appending
+            if [ -s "${config_file}" ] && [ -n "$(tail -c1 "${config_file}" 2>/dev/null)" ]; then
+                echo >> "${config_file}"
+            fi
+            echo "Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.DAC.ConfigURL=${DAC_APPSTORE_URL}" >> "${config_file}"
-            echo "Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.DAC.ConfigURL=${DAC_APPSTORE_URL}" >> ${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
+            # Validate DAC_APPSTORE_URL to avoid unsafe shell characters that could trigger command substitution.
+            if printf '%s' "${DAC_APPSTORE_URL}" | grep -q '[$`]' ; then
+                bbwarn "DAC_APPSTORE_URL contains unsafe characters (\$ or \`). Skipping DAC configuration."
+            else
+                printf 'Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.DAC.ConfigURL=%s\n' "${DAC_APPSTORE_URL}" >> ${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
+            fi
-        install -D -m 0644 ${MANIFEST_PATH_RDK_IMAGES}/conf/community-rfc-configs.ini ${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
-        if [ -n "${DAC_APPSTORE_URL}" ]; then
-            echo "Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.DAC.ConfigURL=${DAC_APPSTORE_URL}" >> ${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
+        config_file=${IMAGE_ROOTFS}/etc/rfcdefaults/community-rfc-configs.ini
+        install -D -m 0644 ${MANIFEST_PATH_RDK_IMAGES}/conf/community-rfc-configs.ini "${config_file}"
+        if [ -n "${DAC_APPSTORE_URL}" ]; then
+            # Ensure the config file ends with a newline before appending
+            if [ -s "${config_file}" ] && [ -n "$(tail -c1 "${config_file}" 2>/dev/null)" ]; then
+                echo >> "${config_file}"
+            fi
+            echo "Device.DeviceInfo.X_RDKCENTRAL-COM_RFC.DAC.ConfigURL=${DAC_APPSTORE_URL}" >> "${config_file}"
+        else
+            bbwarn "DAC_APPSTORE_URL is not set. Skipping DAC configuration."
+        fi
     fi
 }