questions re: NO_PROMPT_PERCENT

questions re: NO_PROMPT_PERCENT

[Roman Neuhauser]

i was playing with my prompt settings, and arrived at a place
where i was setting PROMPT to a value with no remaining %-sequences
to expand (i was trying to achieve a particular visual effect which
depends on the contents of the expanded prompt).

prompt-git-info # populates $git_info
declare -a bits=("%(!~ "!%!" "?%?" "%%""%j" "%3~" "$git_info")
declare -a s=("%B" "%S")
# vvvvvvvvvvvvvvvvvvvv
declare tmp="${(%j: :)bits}"
# insert more %-sequences between characters in $tmp
# ^^^^^^^^^^^^^^^^^^^^
PROMPT="${(%j::)s} $tmp ${(%j::)${(@LMOa)s#%?}} "

if i'm reading this situation correctly (am I?  honest question!),
a malicious repository could use PROMPT_PERCENT to paint over my
prompt with fake data (`ESC [ Ps G` for a start), and what i should
be doing instead is

#      vvvvvvvvvvvvvvv
setopt nopromptpercent
#      ^^^^^^^^^^^^^^^
declare -a bits=("%(!~#~:)" "!%!" "?%?" "%%""%j" "%3~")
declare tmp="${(%j: :)bits}"
#      vvvvvvvvvvvvvvv
tmp+=" ${(V)git_info}"
#      ^^^^^^^^^^^^^^^
# insert more %-sequences between characters in $tmp
PROMPT="${(%j::)s} $tmp ${(%j::)${(@LMOa)s#%?}} "

BTW, i'm not much of a target and i don't think my PROMPT would
be the anyone's first choice of an attack vector against me,
but please humor me.

so i tried turning PROMPT_PERCENT off, and ended up with broken

* completion
* corrections
* xtrace (i know, PS4)

and possibly more (i know about select) but i didn't look further and
reverted, the completion system must be using a mix of print -P and
${(%)..} (the latter is unperturbed by the setting) since the terminal
gets unusable promptly, pun intended. (the shell loses track of the
cursor.)

i looked at the code history, the option goes beyond 1999, and mere
git log / git grep does not give much detail about behavior expected
back then; eg. it's possible print -P didn't even exist back then.

  % git grep -i -e percent c175751b5 -- ChangeLog
  c175751b5:ChangeLog:      Src/options.c, Src/prompt.c, Src/zsh.h: Options PROMPT_PERCENT

(there's no Src/ in the c175751b5 tree as far as i can see)

my questions are:

* is there a meaningful difference between
  set +o promptsubst; PROMPT="... $var ..."
  and
  set -o promptsubst; PROMPT='... $var ...'?
* is my understanding of PROMPT being susceptible to malicious
  data substituted directly as above correct?  what are effective
  mitigations? does ${(V)} really have me covered under PROMPTSUBST?
  what are the limits imposed by %{...%}?  the manual says it "should
  not change the cursor position", a quick test suggests it would be
  better worded as "will not be allowed ..."?  this deserves more
  detail in the text.
* does the topic deserve better coverage in the manual?
  i'm convinced it does.
* would everyone (is there one?) using nopromptpercent raise their hand?
  please describe your interactive use of zsh 5.x with nopromptpercent!
* i keep praising zsh for its conservatism, but screw 1999, what is the
  *goal* of the setting *today*?  ie. is the impact NOPROMPTPERCENT has
  on CORRECT expected?  is it *desired*?  why?  what are the $REASONS
  in "displaying the CORRECT prompt without substituting %R or %r is a
  major goal of this option because $REASONS"?  i mean, if CORRECT is
  a security concern (how?) then there's NOCORRECT, no?
* why does it affect `print -P`?
* why does it *not* affect the % parameter expansion flag?

-- 
roman

Re: questions re: NO_PROMPT_PERCENT

[Oliver Kiddle]

Roman Neuhauser wrote:
> so i tried turning PROMPT_PERCENT off, and ended up with broken
>
> * completion

For what it's worth, I neither see much breakage when turning
prompt_percent off nor do I find any uses of print -P when grepping in
the Completion directory of the zsh sources. If there are any, ${(%)...}
should be used instead. Is your breakage perhaps just a messed up
terminal due to literal escape sequences in your prompt? All the
complist and zformat stuff looks fine to me.

> * is there a meaningful difference between
>   set +o promptsubst; PROMPT="... $var ..."
>   and
>   set -o promptsubst; PROMPT='... $var ...'?

It changes when $var is expanded. I'd only use the latter with $var
being set from hook functions.

> * is my understanding of PROMPT being susceptible to malicious
>   data substituted directly as above correct?  what are effective
>   mitigations? does ${(V)} really have me covered under PROMPTSUBST?
>   what are the limits imposed by %{...%}?  the manual says it "should
>   not change the cursor position", a quick test suggests it would be
>   better worded as "will not be allowed ..."?  this deserves more
>   detail in the text.

You can specify a number with it where the content does advance the
cursor.

promptsubst also allows command and math substitutions. For security
to be a concern, you still have to personally configure it to fill the
variables with untrusted data. Things like key rebinding escape
sequences are long gone so I'm not sure you really need to worry but (V)
is likely harmless anyway.

> * does the topic deserve better coverage in the manual?
>   i'm convinced it does.

It's hard to comment without more specifics of what you'd want included.

> * would everyone (is there one?) using nopromptpercent raise their hand?
>   please describe your interactive use of zsh 5.x with nopromptpercent!

I was thinking the main use would be for sh emulation but apparently
that doesn't bother to unset it.

> * i keep praising zsh for its conservatism, but screw 1999, what is the
>   *goal* of the setting *today*?  ie. is the impact NOPROMPTPERCENT has
>   on CORRECT expected?  is it *desired*?  why?  what are the $REASONS
>   in "displaying the CORRECT prompt without substituting %R or %r is a
>   major goal of this option because $REASONS"?  i mean, if CORRECT is
>   a security concern (how?) then there's NOCORRECT, no?

Yes, that doesn't seem expecially useful but not entirely suprising when
thinking about implementation. Should we treat this as a bug?

> * why does it affect `print -P`?
> * why does it *not* affect the % parameter expansion flag?

print -P is older. I'd speculate that whoever implemented it considered it
useful to be able to print, e.g. $PS1 and have it appear as a prompt
would.

Oliver

Re: questions re: NO_PROMPT_PERCENT

[Bart Schaefer]

On Mon, Aug 9, 2021 at 1:46 PM Oliver Kiddle <opk@zsh.org> wrote:
>
> For what it's worth, I neither see much breakage when turning
> prompt_percent off nor do I find any uses of print -P when grepping in
> the Completion directory of the zsh sources. If there are any, ${(%)...}
> should be used instead. Is your breakage perhaps just a messed up
> terminal due to literal escape sequences in your prompt?

Anything that depends on %{...%} to tell the prompt code (and by
extension the completion code) where there are cursor movements that
shouldn't be counted as part of the shape of the prompt, is going to
become broken if PROMPT_PERCENT is turned off.  There are a couple of
things in the Functions/ tree (some of them written by me, I see) that
assume PROMPT_PERCENT is active without asserting it, but I don't see
anything like that in the Completion/ tree.