help / color / mirror / code / Atom feed
From: Roman Neuhauser <neuhauser@sigpipe.cz>
To: zsh-users@zsh.org
Subject: questions re: NO_PROMPT_PERCENT
Date: Sat, 7 Aug 2021 05:06:49 +0200	[thread overview]
Message-ID: <YQ34yepHrocPN++7@isis.sigpipe.cz> (raw)

i was playing with my prompt settings, and arrived at a place
where i was setting PROMPT to a value with no remaining %-sequences
to expand (i was trying to achieve a particular visual effect which
depends on the contents of the expanded prompt).

prompt-git-info # populates $git_info
declare -a bits=("%(!~ "!%!" "?%?" "%%""%j" "%3~" "$git_info")
declare -a s=("%B" "%S")
# vvvvvvvvvvvvvvvvvvvv
declare tmp="${(%j: :)bits}"
# insert more %-sequences between characters in $tmp
# ^^^^^^^^^^^^^^^^^^^^
PROMPT="${(%j::)s} $tmp ${(%j::)${(@LMOa)s#%?}} "

if i'm reading this situation correctly (am I?  honest question!),
a malicious repository could use PROMPT_PERCENT to paint over my
prompt with fake data (`ESC [ Ps G` for a start), and what i should
be doing instead is

#      vvvvvvvvvvvvvvv
setopt nopromptpercent
#      ^^^^^^^^^^^^^^^
declare -a bits=("%(!~#~:)" "!%!" "?%?" "%%""%j" "%3~")
declare tmp="${(%j: :)bits}"
#      vvvvvvvvvvvvvvv
tmp+=" ${(V)git_info}"
#      ^^^^^^^^^^^^^^^
# insert more %-sequences between characters in $tmp
PROMPT="${(%j::)s} $tmp ${(%j::)${(@LMOa)s#%?}} "

BTW, i'm not much of a target and i don't think my PROMPT would
be the anyone's first choice of an attack vector against me,
but please humor me.

so i tried turning PROMPT_PERCENT off, and ended up with broken

* completion
* corrections
* xtrace (i know, PS4)

and possibly more (i know about select) but i didn't look further and
reverted, the completion system must be using a mix of print -P and
${(%)..} (the latter is unperturbed by the setting) since the terminal
gets unusable promptly, pun intended. (the shell loses track of the

i looked at the code history, the option goes beyond 1999, and mere
git log / git grep does not give much detail about behavior expected
back then; eg. it's possible print -P didn't even exist back then.

  % git grep -i -e percent c175751b5 -- ChangeLog
  c175751b5:ChangeLog:      Src/options.c, Src/prompt.c, Src/zsh.h: Options PROMPT_PERCENT

(there's no Src/ in the c175751b5 tree as far as i can see)

my questions are:

* is there a meaningful difference between
  set +o promptsubst; PROMPT="... $var ..."
  set -o promptsubst; PROMPT='... $var ...'?
* is my understanding of PROMPT being susceptible to malicious
  data substituted directly as above correct?  what are effective
  mitigations? does ${(V)} really have me covered under PROMPTSUBST?
  what are the limits imposed by %{...%}?  the manual says it "should
  not change the cursor position", a quick test suggests it would be
  better worded as "will not be allowed ..."?  this deserves more
  detail in the text.
* does the topic deserve better coverage in the manual?
  i'm convinced it does.
* would everyone (is there one?) using nopromptpercent raise their hand?
  please describe your interactive use of zsh 5.x with nopromptpercent!
* i keep praising zsh for its conservatism, but screw 1999, what is the
  *goal* of the setting *today*?  ie. is the impact NOPROMPTPERCENT has
  on CORRECT expected?  is it *desired*?  why?  what are the $REASONS
  in "displaying the CORRECT prompt without substituting %R or %r is a
  major goal of this option because $REASONS"?  i mean, if CORRECT is
  a security concern (how?) then there's NOCORRECT, no?
* why does it affect `print -P`?
* why does it *not* affect the % parameter expansion flag?


             reply	other threads:[~2021-08-07  3:08 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-07  3:06 Roman Neuhauser [this message]
2021-08-09 20:46 ` Oliver Kiddle
2021-08-09 21:49   ` Bart Schaefer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YQ34yepHrocPN++7@isis.sigpipe.cz \
    --to=neuhauser@sigpipe.cz \
    --cc=zsh-users@zsh.org \


* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).