From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.2 Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id 6f0e694e for ; Mon, 18 Mar 2019 10:02:47 +0000 (UTC) Received: (qmail 17476 invoked by alias); 18 Mar 2019 10:02:31 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: List-Unsubscribe: X-Seq: 44141 Received: (qmail 5354 invoked by uid 1010); 18 Mar 2019 10:02:31 -0000 X-Qmail-Scanner-Diagnostics: from mailout2.w1.samsung.com by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.100.2/25391. spamassassin: 3.4.2. Clear:RC:0(210.118.77.12):SA:0(-7.0/5.0):. Processed in 3.023641 secs); 18 Mar 2019 10:02:31 -0000 X-Envelope-From: p.stephenson@samsung.com X-Qmail-Scanner-Mime-Attachments: | X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at _spf.samsung.com designates 210.118.77.12 as permitted sender) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout2.w1.samsung.com 20190318100151euoutp0229ee6e83b3536e4388caeff220480f79~NBVWGBFkv2138021380euoutp02y DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1552903311; bh=6aIQQmVPobN/g78LlaEKxrWMFzx3w4TyHxfYMPOrppk=; h=Subject:From:To:Date:In-Reply-To:References:From; b=gMtd41iv7QZSmk/qxTxQG5VGDCTaahuAbPBWS6KN6jUIAy6twiSL4Tt4LNTkl2Z2g TVcFMXDM70R3WTWMNTXnDzt2RITU2Qhhh5ewiqrqqmPuFRhjc+T8MTU3hvnEeLP7vP CvJ2ZSO7wo9O+X1sbz+0R7B0rkZP4Cru/hE5D4AE= X-AuditID: cbfec7f2-5c9ff70000001159-aa-5c8f6c8ea54d Message-ID: <1552903309.5658.4.camel@samsung.com> Subject: Re: Command hashing/autocd bug & possible fixes From: Peter Stephenson To: Date: Mon, 18 Mar 2019 10:01:49 +0000 In-Reply-To: X-Mailer: Evolution 3.18.5.2-0ubuntu3.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHIsWRmVeSWpSXmKPExsWy7djPc7p9Of0xBuu+GVocbH7I5MDoserg B6YAxigum5TUnMyy1CJ9uwSujO63s5gKPnFUzJn1jrWBcSp7FyMnh4SAicT3VzPYuhi5OIQE VjBKPH/XC+X0MUk83ziZGcLpZZJ4vXUWK0xL+/5mFojEckaJz5sPMMFV3el8CuWcYZTo+fCd HcK5wCgx+9t6oMkcHLwChhLX5ruCmMICFhJ/zwSBTGUDik7dNJsRxBYRkJS41nwazGYRUJW4 /mIxM4jNKRAoseDEPSaIKzQkNtw8BmbzCghKnJz5hAXEZhaQl2jeOhvsbAmBx2wST6//ZIFo cJE42r4S6gVhiVfHt0BDQEbi/875TBAN7YwSaya9ZodwehglNh29wwhRZS3Rd/siI8jVzAKa Eut36UOEHSVWrDrOAhKWEOCTuPFWEOIIPolJ26YzQ4R5JTrahCCq1SR2NG1lhAjLSDxdozCB UWkWkg9mIflgFsKqBYzMqxjFU0uLc9NTiw3zUsv1ihNzi0vz0vWS83M3MQJTwel/xz/tYPx6 KekQowAHoxIP741pfTFCrIllxZW5hxglOJiVRHjtPftjhHhTEiurUovy44tKc1KLDzFKc7Ao ifNWMzyIFhJITyxJzU5NLUgtgskycXBKNTBGKHXP36ChHcY/9WXw61cv4n6n9U1V0l+4LTrt cuu9mLl+T2dHKfNsEmXdttH0uKrO95uO6d9djvM/vvui6dUfjyDZCbsuVh/oWJt88lBNIOMD 2+7Ee18+XsyIDDDj2sb1SWSOqPSV6fYSh5/uXTZ7ZeB98WuBRaWvVI52cXz/P6X0xm/Rhz+u KrEUZyQaajEXFScCADW+73UBAwAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrPLMWRmVeSWpSXmKPExsVy+t/xu7p9Of0xBh92s1ocbH7I5MDoserg B6YAxig9m6L80pJUhYz84hJbpWhDCyM9Q0sLPSMTSz1DY/NYKyNTJX07m5TUnMyy1CJ9uwS9 jO63s5gKPnFUzJn1jrWBcSp7FyMnh4SAiUT7/mYWEFtIYCmjxMttJhBxGYlPVz5C1QhL/LnW xdbFyAVU080ksfr1clYI5wyjxJI7b1kgnAuMEtPnX2TqYuTg4BUwlLg23xXEFBawkPh7Jghk EBtQdOqm2YwgtoiApMS15tNgNouAqsT1F4uZQWxOgUCJBSfuMcEdNGFaIIjNLKAp0br9N9RB GhIbbh4Dq+EVEJQ4OfMJC0SNvETz1tnMExiFZiFpmYWkbBaSsgWMzKsYRVJLi3PTc4sN9YoT c4tL89L1kvNzNzECA3/bsZ+bdzBe2hh8iFGAg1GJh7dhSl+MEGtiWXFl7iFGCQ5mJRFee8/+ GCHelMTKqtSi/Pii0pzU4kOMpkAPTWSWEk3OB0ZlXkm8oamhuYWlobmxubGZhZI473mDyigh gfTEktTs1NSC1CKYPiYOTqkGxg4Hpi//6uec2vBRYJts7qau11ubROdrZntLiAe9eqiXMkm7 92vz2gOn/253/1l87/LkCd+4H9+pmym9qLOuTSX/xypz4T/7tk08mjn7YW7u2W0rn12aaa6Q ZCrSffTzJAWByHdPPG4fPswXXT/7Xaf8/GDT1OCwDzPnbUiXWzv5ufT8k2yblfcpsRRnJBpq MRcVJwIAeHfVzJICAAA= X-CMS-MailID: 20190318100150eucas1p29804325e5bc3ce3aa348995909e1576b X-Msg-Generator: CA Content-Type: text/plain; charset="utf-8" X-RootMTR: 20190316200339epcas3p2370800b4409cedfc025ef1c972334aa7 X-EPHeader: CA CMS-TYPE: 201P X-CMS-RootMailID: 20190316200339epcas3p2370800b4409cedfc025ef1c972334aa7 References: On Sat, 2019-03-16 at 16:01 -0400, Charles Blake wrote: > Another possible fix might be to try to stop hashcmd from entering > keys with a leading '/' (or accept an allowRooted parameter).  The > easiest way to do that.. >  > diff --git a/Src/exec.c b/Src/exec.c > index 042ba065a..79ef83c1e 100644 > --- a/Src/exec.c > +++ b/Src/exec.c > @@ -940,6 +940,8 @@ hashcmd(char *arg0, char **pp) >      char *s, buf[PATH_MAX+1]; >      char **pq; >  > +    if (*arg0 == '/') > +        return NULL; >      for (; *pp; pp++) >         if (**pp == '/') { >             s = buf; This certainly looks plausible.  I can't offhand think of a reason why a hashed command would begin with a "/"; it's just asking for trouble. We've been confusingly lax about this sort of thing in other places --- for example, autoload of a function beginning with a "/" used to do path look up under $fpath, though for a couple of years now has been treated as an absolute path. Unless anyone comes up with a counterexample I think I'll put this in. Thanks for the work. pws