zsh-users
 help / color / mirror / code / Atom feed
* questions re: NO_PROMPT_PERCENT
@ 2021-08-07  3:06 Roman Neuhauser
  2021-08-09 20:46 ` Oliver Kiddle
  0 siblings, 1 reply; 3+ messages in thread
From: Roman Neuhauser @ 2021-08-07  3:06 UTC (permalink / raw)
  To: zsh-users

i was playing with my prompt settings, and arrived at a place
where i was setting PROMPT to a value with no remaining %-sequences
to expand (i was trying to achieve a particular visual effect which
depends on the contents of the expanded prompt).

prompt-git-info # populates $git_info
declare -a bits=("%(!~ "!%!" "?%?" "%%""%j" "%3~" "$git_info")
declare -a s=("%B" "%S")
# vvvvvvvvvvvvvvvvvvvv
declare tmp="${(%j: :)bits}"
# insert more %-sequences between characters in $tmp
# ^^^^^^^^^^^^^^^^^^^^
PROMPT="${(%j::)s} $tmp ${(%j::)${(@LMOa)s#%?}} "

if i'm reading this situation correctly (am I?  honest question!),
a malicious repository could use PROMPT_PERCENT to paint over my
prompt with fake data (`ESC [ Ps G` for a start), and what i should
be doing instead is

#      vvvvvvvvvvvvvvv
setopt nopromptpercent
#      ^^^^^^^^^^^^^^^
declare -a bits=("%(!~#~:)" "!%!" "?%?" "%%""%j" "%3~")
declare tmp="${(%j: :)bits}"
#      vvvvvvvvvvvvvvv
tmp+=" ${(V)git_info}"
#      ^^^^^^^^^^^^^^^
# insert more %-sequences between characters in $tmp
PROMPT="${(%j::)s} $tmp ${(%j::)${(@LMOa)s#%?}} "

BTW, i'm not much of a target and i don't think my PROMPT would
be the anyone's first choice of an attack vector against me,
but please humor me.

so i tried turning PROMPT_PERCENT off, and ended up with broken

* completion
* corrections
* xtrace (i know, PS4)

and possibly more (i know about select) but i didn't look further and
reverted, the completion system must be using a mix of print -P and
${(%)..} (the latter is unperturbed by the setting) since the terminal
gets unusable promptly, pun intended. (the shell loses track of the
cursor.)

i looked at the code history, the option goes beyond 1999, and mere
git log / git grep does not give much detail about behavior expected
back then; eg. it's possible print -P didn't even exist back then.

  % git grep -i -e percent c175751b5 -- ChangeLog
  c175751b5:ChangeLog:      Src/options.c, Src/prompt.c, Src/zsh.h: Options PROMPT_PERCENT

(there's no Src/ in the c175751b5 tree as far as i can see)

my questions are:

* is there a meaningful difference between
  set +o promptsubst; PROMPT="... $var ..."
  and
  set -o promptsubst; PROMPT='... $var ...'?
* is my understanding of PROMPT being susceptible to malicious
  data substituted directly as above correct?  what are effective
  mitigations? does ${(V)} really have me covered under PROMPTSUBST?
  what are the limits imposed by %{...%}?  the manual says it "should
  not change the cursor position", a quick test suggests it would be
  better worded as "will not be allowed ..."?  this deserves more
  detail in the text.
* does the topic deserve better coverage in the manual?
  i'm convinced it does.
* would everyone (is there one?) using nopromptpercent raise their hand?
  please describe your interactive use of zsh 5.x with nopromptpercent!
* i keep praising zsh for its conservatism, but screw 1999, what is the
  *goal* of the setting *today*?  ie. is the impact NOPROMPTPERCENT has
  on CORRECT expected?  is it *desired*?  why?  what are the $REASONS
  in "displaying the CORRECT prompt without substituting %R or %r is a
  major goal of this option because $REASONS"?  i mean, if CORRECT is
  a security concern (how?) then there's NOCORRECT, no?
* why does it affect `print -P`?
* why does it *not* affect the % parameter expansion flag?

-- 
roman


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: questions re: NO_PROMPT_PERCENT
  2021-08-07  3:06 questions re: NO_PROMPT_PERCENT Roman Neuhauser
@ 2021-08-09 20:46 ` Oliver Kiddle
  2021-08-09 21:49   ` Bart Schaefer
  0 siblings, 1 reply; 3+ messages in thread
From: Oliver Kiddle @ 2021-08-09 20:46 UTC (permalink / raw)
  To: Roman Neuhauser; +Cc: zsh-users

Roman Neuhauser wrote:
> so i tried turning PROMPT_PERCENT off, and ended up with broken
>
> * completion

For what it's worth, I neither see much breakage when turning
prompt_percent off nor do I find any uses of print -P when grepping in
the Completion directory of the zsh sources. If there are any, ${(%)...}
should be used instead. Is your breakage perhaps just a messed up
terminal due to literal escape sequences in your prompt? All the
complist and zformat stuff looks fine to me.

> * is there a meaningful difference between
>   set +o promptsubst; PROMPT="... $var ..."
>   and
>   set -o promptsubst; PROMPT='... $var ...'?

It changes when $var is expanded. I'd only use the latter with $var
being set from hook functions.

> * is my understanding of PROMPT being susceptible to malicious
>   data substituted directly as above correct?  what are effective
>   mitigations? does ${(V)} really have me covered under PROMPTSUBST?
>   what are the limits imposed by %{...%}?  the manual says it "should
>   not change the cursor position", a quick test suggests it would be
>   better worded as "will not be allowed ..."?  this deserves more
>   detail in the text.

You can specify a number with it where the content does advance the
cursor.

promptsubst also allows command and math substitutions. For security
to be a concern, you still have to personally configure it to fill the
variables with untrusted data. Things like key rebinding escape
sequences are long gone so I'm not sure you really need to worry but (V)
is likely harmless anyway.

> * does the topic deserve better coverage in the manual?
>   i'm convinced it does.

It's hard to comment without more specifics of what you'd want included.

> * would everyone (is there one?) using nopromptpercent raise their hand?
>   please describe your interactive use of zsh 5.x with nopromptpercent!

I was thinking the main use would be for sh emulation but apparently
that doesn't bother to unset it.

> * i keep praising zsh for its conservatism, but screw 1999, what is the
>   *goal* of the setting *today*?  ie. is the impact NOPROMPTPERCENT has
>   on CORRECT expected?  is it *desired*?  why?  what are the $REASONS
>   in "displaying the CORRECT prompt without substituting %R or %r is a
>   major goal of this option because $REASONS"?  i mean, if CORRECT is
>   a security concern (how?) then there's NOCORRECT, no?

Yes, that doesn't seem expecially useful but not entirely suprising when
thinking about implementation. Should we treat this as a bug?

> * why does it affect `print -P`?
> * why does it *not* affect the % parameter expansion flag?

print -P is older. I'd speculate that whoever implemented it considered it
useful to be able to print, e.g. $PS1 and have it appear as a prompt
would.

Oliver


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: questions re: NO_PROMPT_PERCENT
  2021-08-09 20:46 ` Oliver Kiddle
@ 2021-08-09 21:49   ` Bart Schaefer
  0 siblings, 0 replies; 3+ messages in thread
From: Bart Schaefer @ 2021-08-09 21:49 UTC (permalink / raw)
  To: Zsh Users

On Mon, Aug 9, 2021 at 1:46 PM Oliver Kiddle <opk@zsh.org> wrote:
>
> For what it's worth, I neither see much breakage when turning
> prompt_percent off nor do I find any uses of print -P when grepping in
> the Completion directory of the zsh sources. If there are any, ${(%)...}
> should be used instead. Is your breakage perhaps just a messed up
> terminal due to literal escape sequences in your prompt?

Anything that depends on %{...%} to tell the prompt code (and by
extension the completion code) where there are cursor movements that
shouldn't be counted as part of the shape of the prompt, is going to
become broken if PROMPT_PERCENT is turned off.  There are a couple of
things in the Functions/ tree (some of them written by me, I see) that
assume PROMPT_PERCENT is active without asserting it, but I don't see
anything like that in the Completion/ tree.


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-08-09 21:51 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-07  3:06 questions re: NO_PROMPT_PERCENT Roman Neuhauser
2021-08-09 20:46 ` Oliver Kiddle
2021-08-09 21:49   ` Bart Schaefer

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).