From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_ADSP_CUSTOM_MED,
	FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,SPF_PASS
	autolearn=ham autolearn_force=no version=3.4.2
Received: (qmail 7509 invoked from network); 16 Apr 2020 16:39:06 -0000
Received-SPF:  pass (primenet.com.au: domain of zsh.org
  designates 203.24.36.2 as permitted sender)
  receiver=inbox.vuxu.org; client-ip=203.24.36.2
  envelope-from=<zsh-users-return-24782-ml=inbox.vuxu.org@zsh.org>
Received: from ns1.primenet.com.au (HELO primenet.com.au) (203.24.36.2)
  by inbox.vuxu.org with UTF8ESMTPZ; 16 Apr 2020 16:39:06 -0000
Received: (qmail 9263 invoked by alias); 16 Apr 2020 16:39:00 -0000
Mailing-List: contact zsh-users-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Users List <zsh-users.zsh.org>
List-Post: <mailto:zsh-users@zsh.org>
List-Help: <mailto:zsh-users-help@zsh.org>
List-Unsubscribe: <mailto:zsh-users-unsubscribe@zsh.org>
X-Seq: 24782
Received: (qmail 10623 invoked by uid 1010); 16 Apr 2020 16:39:00 -0000
X-Qmail-Scanner-Diagnostics: from mail-il1-f181.google.com by f.primenet.com.au (envelope-from <pierpaolog@gmail.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.102.2/25779. spamassassin: 3.4.4.  
 Clear:RC:0(209.85.166.181):SA:0(-2.8/5.0):. 
 Processed in 2.956539 secs); 16 Apr 2020 16:39:00 -0000
X-Envelope-From: pierpaolog@gmail.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.166.181 as permitted sender)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to;
        bh=kN4Wr0fWUEyQJnMG9qPbFpFDegxjxMFzSPkfNDdcvdk=;
        b=pkBeJGs4LnR4iHWESUNVI+nog62E9F3o9Lw251tX6Xrqn0lSwKeieQGuFO9fswsphP
         zKkm6ei0naLQ8/tkQ1FjWxQ7vHJXcV++ayZxfXpQZE+UH9uNYqpYraPgNC83P5okqQnr
         QbZBhvyXaa44b2v1GIycwwiA0Fnf34RfSk839o48eDPFuObftU7COm2cVhFseqlkHd1o
         RKvUqQP1OJkrxS793gr7/o2YlVi8i7aW6XF2Mg4+2R0ayDOjHIBGxeRah87dFAijrzgW
         n32FwaAU9XH9MDjVe/Mgd8d0v0229IPkue+itcOmA11tsof/b2Wn9hSAtNxIVWGToJWP
         8sHA==
X-Gm-Message-State: AGi0PuYpSdyDr8rzltZffiXMtnKIn7atrBiQ+XU5sYj7gkT3xx0IVTHv
	O9JgcE08P1d/wKYG9BLJ9FyXjSEYzASRPtzQRydnrRswC5E=
X-Google-Smtp-Source: APiQypLWMlrHx47saBiq7JSt+x+tKDwrfvU0pZk3IjGlS1sKhPuqdns0MI+Vws56lDSZzOhr48L96Pz3zXEPd9fEeQg=
X-Received: by 2002:a92:cb42:: with SMTP id f2mr4629673ilq.163.1587055104801;
 Thu, 16 Apr 2020 09:38:24 -0700 (PDT)
MIME-Version: 1.0
References: <CAP+y1xCb3NJn8BRsuwpO6XVgzAtGsBvP870M5na3mAH+CwJ_OA@mail.gmail.com>
 <CAHYJk3TmiNicTrwem6iRxKMxdNT5-ZB8W8vT5Gc=t7DrbPfBdQ@mail.gmail.com>
 <CAP+y1xAG3ayQNE3JqeF_YOT5FZ9pLiUAF5TmPVoOv+nPyjK30A__22203.4378488146$1586994256$gmane$org@mail.gmail.com>
 <20200416163022.vremvngrnnbxgdg6@chazelas.org>
In-Reply-To: <20200416163022.vremvngrnnbxgdg6@chazelas.org>
From: Pier Paolo Grassi <pierpaolog@gmail.com>
Date: Thu, 16 Apr 2020 18:37:47 +0200
Message-ID: <CAP+y1xAjAub4cN_N1mgQUp-kZFpCRRRMzj3Ro6g68P9d1NQJTg@mail.gmail.com>
Subject: Re: indirect assignment to array
To: Pier Paolo Grassi <pierpaolog@gmail.com>, Mikael Magnusson <mikachu@gmail.com>, 
	Zsh-Users List <zsh-users@zsh.org>
Content-Type: multipart/alternative; boundary="000000000000c2bfd005a36b0f6e"

--000000000000c2bfd005a36b0f6e
Content-Type: text/plain; charset="UTF-8"

thanks Stephane, it is indeed a good habit to sanitize the varname
whichever method is utilized. From your explanation I admit the eval
solution would have been equally valid
regards

Pier Paolo Grassi
linkedin: https://www.linkedin.com/in/pier-paolo-grassi-19300217
founder: https://www.meetup.com/it-IT/Machine-Learning-TO


Il giorno gio 16 apr 2020 alle ore 18:30 Stephane Chazelas <
stephane@chazelas.org> ha scritto:

> 2020-04-16 01:42:29 +0200, Pier Paolo Grassi:
> > Il giorno gio 16 apr 2020 alle ore 01:13 Mikael Magnusson <
> mikachu@gmail.com>
> > ha scritto:
> [...]
> > > : ${(PA)varname::=$array}
> > > (leave out the A for scalar assignment, and use AA for assoc arrays).
> [...]
> > Thanks! I was afraid I had to resort to eval.
> [...]
>
> What's wrong with "eval"? Note that many of those alternatives
> to "eval" are just other evals in disguise or are as dangerous
> (but giving the wrong impression that they're not).
>
> : ${(PA)varname::=$array}
>
> is a command injection vulnerability if the content of $varname
> is not sanitized.
>
>
> $ varname='x[$(uname>&2)]'
> $ : ${(PA)varname::=$array}
> Linux
> zsh: bad math expression: empty string
>
> So is:
>
> eval $varname'=("$array[@]")'
>
> but at least it's more obvious that it is.
>
> In any case, I'd expect the contents of $varname to be known and
> trusted in this case, while that of $array could be anything.
>
> Note that that "$array[@]" (instead of $array) is needed to
> preserve empty elements.
>
> --
> Stephane
>

--000000000000c2bfd005a36b0f6e--