From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-34012-mason-zsh=primenet.com.au@zsh.org>
Received: (qmail 17821 invoked by alias); 19 Dec 2014 09:37:05 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
X-Seq: 34012
Received: (qmail 28826 invoked from network); 19 Dec 2014 09:37:01 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.2
Date: Fri, 19 Dec 2014 10:29:13 +0100
From: "Christoph (Stucki) von Stuckrad" <stucki@mi.fu-berlin.de>
To: zsh-workers@zsh.org
Subject: Re: [BUG] Unicode variables can be exported and are exported metafied
Message-ID: <20141219092841.GG3581@localhost.mi.fu-berlin.de>
Mail-Followup-To: zsh-workers@zsh.org
References: <1054131418926765@web2o.yandex.ru>
 <20141218192917.4df5324b@pws-pc.ntlworld.com>
 <20141218194758.329bd9ef@pws-pc.ntlworld.com>
 <CAH+w=7YZ3kk4mMiZxFdqv1krhsGg7zSCjJr---u9Q9ZmbdJ5hA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAH+w=7YZ3kk4mMiZxFdqv1krhsGg7zSCjJr---u9Q9ZmbdJ5hA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: "Chr. von Stuckrad" <stucki@mi.fu-berlin.de>
X-Originating-IP: 160.45.113.41
X-ZEDAT-Hint: R

On Thu, 18 Dec 2014, Bart Schaefer wrote:

> Are we sure it's even "legal" to export Unicode variable names?  Internally
> we can kinda ignore POSIX as we choose, but the environment crosses those
> boundaries.

Independend of being 'legal' to me it seems dangerous!

Comparing the 'working as written' example:

~$ M='surprise; : ' MÄRCHEN=story sh -c 'echo $MÄRCHEN'
story

to running it with all the other shells I keep around
(bash, dash, ash, sash - untested ksh and csh)
you always get:

..................................vvvv
~$ M='surprise; : ' MÄRCHEN=story bash -c 'echo $MÄRCHEN'
surprise; : ÄRCHEN

Which gives interesting new ways to introduce security-sensitive
changes into environments by letting a Program check the
UTF8-named-Variable for its contents, but really inserting data
by the broken-part-name, which might be passed unchecked!

So PLEASE DO NOT EXPORT these !

Stucki


-- 
Christoph von Stuckrad      * * |nickname |Mail <stucki@mi.fu-berlin.de> \
Freie Universitaet Berlin   |/_*|'stucki' |Tel(Mo.,Mi.):+49 30 838-75 459|
Mathematik & Informatik EDV |\ *|if online|  (Di,Do,Fr):+49 30 77 39 6600|
Takustr. 9 / 14195 Berlin   * * |on IRCnet|Fax(home):   +49 30 77 39 6601/