From: Stephane Chazelas <stephane@chazelas.org>
To: Bart Schaefer <schaefer@brasslantern.com>
Cc: Zsh hackers list <zsh-workers@zsh.org>
Subject: Re: [PATCH (not final)] (take three?) unset "array[$anything]"
Date: Thu, 3 Jun 2021 07:05:46 +0100 [thread overview]
Message-ID: <20210603060546.lvai62egrinwrbni@chazelas.org> (raw)
In-Reply-To: <CAH+w=7a3hgsag-1WsLxn1yTUja8ooZ+K4eFQhNzHKc32o4a3yg@mail.gmail.com>
2021-06-02 19:04:01 -0700, Bart Schaefer:
> On Wed, Jun 2, 2021 at 8:59 AM Bart Schaefer <schaefer@brasslantern.com> wrote:
> >
> > I've just had a hand-slaps-forehead
> > moment ... take 3 to follow in another thread.
>
> What I realized is that for any unset of an array element, the closing
> bracket must always be the last character of the argument. There's no
> reason to parse the subscript or skip over matching brackets; if a '['
> is found, just make sure the last character is ']' and the subscript
> must be everything in between.
D'oh, I had assumed that had been like that in the beginning but
changed to allow backslash processing for some reason or other
such as alignment with something else.
[...]
> Given this realization, it's easy to make { unset "hash[$key]" } work
> "like it always should have". The trouble comes in with (not)
> breaking past workarounds.
I think I'd be in favour of breaking these workarounds on the
ground that it would fix far more existing script (that just do
unset "hash[$key]") than it would fix.
There's also the question of what to do with
read "hash[$key]"
getopts "hash[$key]"
and getln, print[f] -v, sysread, strftime -s...
I've not tested all of them but at least for read and print -v,
key=foo
typeset -A a
print -v 'a[$key]' x
gives:
typeset -A a=( [foo]=x )
and not
typeset -A a=( ['$key']=x )
With those, one can't do:
read "hash[$key]"
(which would be a command injection vulnerability)
And the (unintuitive) work around is:
read 'hash[$key]'
It's the same in bash unless you set the assoc_expand_once
option there, not in ksh93.
My suggestion of making unset a keyword so that unset hash[$key]
works as expected while unset "hash[$key]" works as before
won't fly as we can't possibly make all builtins that take
lvalues keywords.
[...]
> Therefore I think the best option is to choose one of the latter two,
> possibly depending on which one induces the least damage to any
> workarounds for the current behavior that are known in the wild,
> though aesthetically I'd rather use the literal version.
[...]
Well, the only one that doesn't break workarounds is to leave it
asis (and potentially add support for unset 'hash[]'), or
introduce a new syntax (like unset -k "$key" hash) or an option
like bash's assoc_expand_once to switch to the new behaviour.
We can't really expect people to carry on doing:
() { set -o localoptions +o multibyte -o extendedglob
unset "hash[${key//(#m)[][\\()\`]/\\$MATCH}]"; }
to unset a hash key, so I don't thing it's reasonable to leave
it asis.
Another option would be to align unset with the other builtins,
but that's even more problematic as codes that were doing:
unset "hash[$key]"
would change from being buggy (choking on []()`\ and other
characters containing the encoding of those) to being command
injection vulnerabilities (like with bash without
assoc_expand_once):
$ echo x | key='$(uname>&2)x' bash -c 'typeset -A a; a[$key]=1; unset "a[$key]"; typeset -p a'
Linux
declare -A a=(["\$(uname>&2)x"]="1" )
$ echo x | key='$(uname>&2)x' bash -O assoc_expand_once -c 'typeset -A a; a[$key]=1; unset "a[$key]"; typeset -p a'
declare -A a=()
(zsh has the same problem with read/print -v...)
And again, there is also the problem of hashes used in
arithmetic expressions, including:
key='evil $(reboot)'
print -v 'array[++hash[\$key]]' x
(here you need both the single quotes and the \ to avoid
evaluations of code in the contents of $key)
I must admit I don't really have an idea of how to get out of
this mess. bash, which must have gone through a similar
exercise, hasn't fixed everything with its assoc_expand_once
(see
https://unix.stackexchange.com/questions/627474/how-to-use-associative-arrays-safely-inside-arithmetic-expressions/627475#627475
again).
--
Stephane
next prev parent reply other threads:[~2021-06-03 6:06 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-16 21:10 regexp-replace and ^, word boundary or look-behind operators Stephane Chazelas
2019-12-16 21:27 ` Stephane Chazelas
2019-12-17 7:38 ` Stephane Chazelas
2019-12-17 11:11 ` [PATCH] " Stephane Chazelas
2019-12-18 0:22 ` Daniel Shahaf
2019-12-18 8:31 ` Stephane Chazelas
2020-01-01 14:03 ` [PATCH v2] " Stephane Chazelas
2021-04-30 6:11 ` Stephane Chazelas
2021-04-30 23:13 ` Bart Schaefer
2021-05-05 11:45 ` [PATCH v3] regexp-replace and ^, word boundary or look-behind operators (and more) Stephane Chazelas
2021-05-31 0:58 ` Lawrence Velázquez
2021-05-31 18:18 ` Bart Schaefer
2021-05-31 21:37 ` [PATCH] (?) typeset array[position=index]=value Bart Schaefer
2021-06-01 5:32 ` Stephane Chazelas
2021-06-01 16:05 ` Bart Schaefer
2021-06-02 2:51 ` [PATCH] (take two?) typeset array[position=index]=value / unset hash[$stuff] Bart Schaefer
2021-06-02 10:06 ` Stephane Chazelas
2021-06-02 14:52 ` Bart Schaefer
2021-06-02 16:02 ` Stephane Chazelas
2021-06-02 9:11 ` [PATCH] (?) typeset array[position=index]=value Stephane Chazelas
2021-06-02 13:34 ` Daniel Shahaf
2021-06-02 14:20 ` Stephane Chazelas
2021-06-02 15:59 ` Bart Schaefer
2021-06-03 2:04 ` [PATCH (not final)] (take three?) unset "array[$anything]" Bart Schaefer
2021-06-03 2:42 ` Bart Schaefer
2021-06-03 6:12 ` Bart Schaefer
2021-06-03 8:54 ` Peter Stephenson
2021-06-03 13:13 ` Stephane Chazelas
2021-06-03 14:41 ` Peter Stephenson
2021-06-04 19:25 ` Bart Schaefer
2021-06-05 18:18 ` Peter Stephenson
2021-06-09 23:31 ` Bart Schaefer
2021-06-13 16:51 ` Peter Stephenson
2021-06-13 18:04 ` Bart Schaefer
2021-06-13 19:48 ` Peter Stephenson
2021-06-13 21:44 ` Bart Schaefer
2021-06-14 7:19 ` Stephane Chazelas
2021-06-03 18:12 ` Bart Schaefer
2021-06-04 8:02 ` Stephane Chazelas
2021-06-04 18:36 ` Bart Schaefer
2021-06-04 20:21 ` Stephane Chazelas
2021-06-05 0:20 ` Bart Schaefer
2021-06-05 17:05 ` Stephane Chazelas
2021-06-10 0:14 ` Square brackets in command position Bart Schaefer
2021-06-03 6:05 ` Stephane Chazelas [this message]
2021-06-03 6:43 ` [PATCH (not final)] (take three?) unset "array[$anything]" Bart Schaefer
2021-06-03 7:31 ` Stephane Chazelas
2021-06-10 0:21 ` [PATCH] (?) typeset array[position=index]=value Bart Schaefer
2021-06-05 4:29 ` Mikael Magnusson
2021-06-05 5:49 ` Bart Schaefer
2021-06-05 11:06 ` Mikael Magnusson
2021-06-05 16:22 ` Bart Schaefer
2021-06-18 10:53 ` Mikael Magnusson
2024-03-08 15:30 ` [PATCH v3] regexp-replace and ^, word boundary or look-behind operators (and more) Stephane Chazelas
2024-03-09 8:41 ` [PATCH v5] " Stephane Chazelas
2024-03-09 9:21 ` MBEGIN when =~ finds bytes inside characters (Was: [PATCH v5] regexp-replace and ^, word boundary or look-behind operators (and more).) Stephane Chazelas
2024-03-09 13:03 ` [PATCH v3] regexp-replace and ^, word boundary or look-behind operators (and more) Stephane Chazelas
2024-03-10 19:52 ` [PATCH v6] " Stephane Chazelas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210603060546.lvai62egrinwrbni@chazelas.org \
--to=stephane@chazelas.org \
--cc=schaefer@brasslantern.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).