zsh-users
 help / color / mirror / code / Atom feed
From: Oliver Kiddle <opk@zsh.org>
To: Roman Neuhauser <neuhauser@sigpipe.cz>
Cc: zsh-users@zsh.org
Subject: Re: questions re: NO_PROMPT_PERCENT
Date: Mon, 09 Aug 2021 22:46:15 +0200	[thread overview]
Message-ID: <31323-1628541975.218161@pkyE.Ss-A.4HoV> (raw)
In-Reply-To: <YQ34yepHrocPN++7@isis.sigpipe.cz>

Roman Neuhauser wrote:
> so i tried turning PROMPT_PERCENT off, and ended up with broken
>
> * completion

For what it's worth, I neither see much breakage when turning
prompt_percent off nor do I find any uses of print -P when grepping in
the Completion directory of the zsh sources. If there are any, ${(%)...}
should be used instead. Is your breakage perhaps just a messed up
terminal due to literal escape sequences in your prompt? All the
complist and zformat stuff looks fine to me.

> * is there a meaningful difference between
>   set +o promptsubst; PROMPT="... $var ..."
>   and
>   set -o promptsubst; PROMPT='... $var ...'?

It changes when $var is expanded. I'd only use the latter with $var
being set from hook functions.

> * is my understanding of PROMPT being susceptible to malicious
>   data substituted directly as above correct?  what are effective
>   mitigations? does ${(V)} really have me covered under PROMPTSUBST?
>   what are the limits imposed by %{...%}?  the manual says it "should
>   not change the cursor position", a quick test suggests it would be
>   better worded as "will not be allowed ..."?  this deserves more
>   detail in the text.

You can specify a number with it where the content does advance the
cursor.

promptsubst also allows command and math substitutions. For security
to be a concern, you still have to personally configure it to fill the
variables with untrusted data. Things like key rebinding escape
sequences are long gone so I'm not sure you really need to worry but (V)
is likely harmless anyway.

> * does the topic deserve better coverage in the manual?
>   i'm convinced it does.

It's hard to comment without more specifics of what you'd want included.

> * would everyone (is there one?) using nopromptpercent raise their hand?
>   please describe your interactive use of zsh 5.x with nopromptpercent!

I was thinking the main use would be for sh emulation but apparently
that doesn't bother to unset it.

> * i keep praising zsh for its conservatism, but screw 1999, what is the
>   *goal* of the setting *today*?  ie. is the impact NOPROMPTPERCENT has
>   on CORRECT expected?  is it *desired*?  why?  what are the $REASONS
>   in "displaying the CORRECT prompt without substituting %R or %r is a
>   major goal of this option because $REASONS"?  i mean, if CORRECT is
>   a security concern (how?) then there's NOCORRECT, no?

Yes, that doesn't seem expecially useful but not entirely suprising when
thinking about implementation. Should we treat this as a bug?

> * why does it affect `print -P`?
> * why does it *not* affect the % parameter expansion flag?

print -P is older. I'd speculate that whoever implemented it considered it
useful to be able to print, e.g. $PS1 and have it appear as a prompt
would.

Oliver


  reply	other threads:[~2021-08-09 20:47 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-07  3:06 Roman Neuhauser
2021-08-09 20:46 ` Oliver Kiddle [this message]
2021-08-09 21:49   ` Bart Schaefer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=31323-1628541975.218161@pkyE.Ss-A.4HoV \
    --to=opk@zsh.org \
    --cc=neuhauser@sigpipe.cz \
    --cc=zsh-users@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).