fix: motd: security hardening for 41-commands script

- Replace unquoted variable parsing with IFS+read for proper splitting
- Quote all variables to prevent word splitting and globbing
- Use proper [[ test ]] instead of [ test ] for consistency
- Fix printf format string to use proper argument passing
- Add short-circuit evaluation for "true" conditions to avoid eval
- Maintain same functionality with improved security

packages/bsp/common/etc/update-motd.d/41-commands

@@ -44,18 +44,16 @@ name_len=0
 output=()
 for l in "${list[@]}"
 do
-	name=$(echo $l | cut -d"," -f1)
-	sudo=$(echo $l | cut -d"," -f2)
-	command=$(echo $l | cut -d"," -f3)
-	condition=$(echo $l | cut -d"," -f4)
-	if eval $condition 2> /dev/null && command -v $command &> /dev/null
-	then
-		# seek for maximum description lenght
-		if [ ${#name} -ge $name_len ]; then
-			name_len=${#name}
+	IFS=',' read -r name sudo command condition <<< "$l"
+	if [[ "${condition}" == "true" ]] || eval "${condition}" 2> /dev/null; then
+		if command -v "${command}" &> /dev/null; then
+			# seek for maximum description length
+			if [[ ${#name} -ge ${name_len} ]]; then
+				name_len=${#name}
+			fi
+			cmd_count=$(( cmd_count + 1 ))
+			output+=("${name},${sudo},${command}")
 		fi
-		cmd_count=$(( cmd_count +1 ))
-		output+=("${name},${sudo},${command}")
 	fi
 done
 
@@ -66,10 +64,8 @@ if [[ "${cmd_count}" -gt 0 ]]; then
 	echo ""
 	for l in "${output[@]}"
 	do
-		name=$(echo $l | cut -d"," -f1)
-		sudo=$(echo $l | cut -d"," -f2)
-		command=$(echo $l | cut -d"," -f3)
-		printf " \e[1;33m%-${name_len}s\e[0m %-0s: $sudo$command\n" "$name"
+		IFS=',' read -r name sudo command <<< "$l"
+		printf " \e[1;33m%-${name_len}s\e[0m %-0s: %s%s\n" "$name" "${sudo}" "${sudo}" "${command}"
 	done
 	echo -en "\033[0m"
 fi