From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 8578 invoked by alias); 16 Apr 2017 19:08:46 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 40981 Received: (qmail 8211 invoked from network); 16 Apr 2017 19:08:46 -0000 X-Qmail-Scanner-Diagnostics: from ulminfo.fr by f.primenet.com.au (envelope-from , uid 7791) with qmail-scanner-2.11 (clamdscan: 0.99.2/21882. spamassassin: 3.4.1. Clear:RC:0(5.135.188.139):SA:0(0.0/5.0):. Processed in 1.009908 secs); 16 Apr 2017 19:08:46 -0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=SPF_PASS,T_DKIM_INVALID autolearn=unavailable autolearn_force=no version=3.4.1 X-Envelope-From: a3nm@a3nm.net X-Qmail-Scanner-Mime-Attachments: |signature.asc| X-Qmail-Scanner-Zip-Files: | Received-SPF: pass (ns1.primenet.com.au: SPF record at a3nm.net designates 5.135.188.139 as permitted sender) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=a3nm.net; s=default; t=1492369711; bh=O5Xfztav1W2kvlS91LbBB54SPh7+SZemk0ajn7adp7E=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=qs8iMxyvpKUU1e2K4tOh1/UhJgFuxtBBj0KCIp4+fRcibDgvLIx60kvZOaBM/80SK FHyhZytbFDbanV0TnBKk90xeMhvputWklyP6sRxZQNsHaYIMua9fJQnvLKqgaD+r9L gKBl7wq135W+7MAf5fyS8FIa8XnLnJ6tzbuUMnlA= Date: Sun, 16 Apr 2017 21:08:31 +0200 From: Antoine Amarilli To: Daniel Shahaf Cc: zsh-workers@zsh.org Subject: Re: Tab-completion problem through ssh when files start by dash (_remote_files:compadd:80: bad option: -@) Message-ID: <20170416190831.m7mxeishvj5exyqs@mu.a3nm.net> References: <20170413174717.4w6iatxztyutpbps@mu.a3nm.net> <20170415011902.GB12706@fujitsu.shahaf.local2> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="agdksfz2ub7ntrlx" Content-Disposition: inline In-Reply-To: <20170415011902.GB12706@fujitsu.shahaf.local2> User-Agent: NeoMutt/20170113 (1.7.2) --agdksfz2ub7ntrlx Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Daniel, Thanks for your reply. On Sat, Apr 15, 2017 at 01:19:02AM +0000, Daniel Shahaf wrote: > Antoine Amarilli wrote on Thu, Apr 13, 2017 at 19:47:17 +0200: > > So it looks to me like the internals of tab-completion are not properly > > escaping the file names in this case, hence the warning. This is mostly > > an annoyance, but maybe there could be some more problematic > > implications (e.g., maybe a malicious jdoe on bar could create files > > that would pass actual options to compadd and mess up more seriously > > with the zsh session on foo). >=20 > The =C2=AB-R remote-func=C2=BB option seems to be the most obvious method= of > injection. I'm not sure whether it requires a literal function name, or > whether an anonymous function would be accepted too. I played a bit with it but wasn't able to get it to execute. That said, I'm not at all familiar with the semantics of compadd, so someone more familiar who can reproduce the problem may be able to achieve something... > I think this fixes it? >=20 > diff --git a/Completion/Unix/Type/_remote_files b/Completion/Unix/Type/_r= emote_files > index 1e9fed1..a5fce9a 100644 I patched my copy of /usr/share/zsh/functions/Completion/Unix/_remote_files following this diff, and indeed this silences the warning and tab-completion seems to work. Thanks! I guess it would be good to commit this fix in the codebase then? Thanks a lot again! Best, --=20 Antoine Amarilli --agdksfz2ub7ntrlx Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOcjWpfrki1T9GCYxgNiLItQzAzEFAljzwS8ACgkQgNiLItQz AzG21Q/9G4zrB/sKVJIUikkRRJHkS+jh03m51gdftvepPk5BY4DrQsjtOzc6g8Mg uJrzbc3dklsi1rcLMOjPaGQxKy7tWmJnj7xijoffAgRz5Bsq9E+BrBnjVyOzRWQL /PRPE8Oq8vuovpa0c+CAHHaK4JTk32+fKWtlrlBsVQkVCV1ejOlybhiJ0z9dsgrP HJsCt02rfgB7PcMu3pfQUwktBw5R28TRne2iq+iQ9DIi/68sfytPqqHdqBBJNLvV rlMZNP6Lp713IsgRhX609rfUDQwJ0wX7bmomPO4uybd7VdmvDRVsLcu0D7MVwEdD QFKugKV2VKbOIVjz/wbmceeEOjNrmW98kuGTyC5+WRd8a+BTK5M2en+VxoRAxK4G QRuZQXQmUZlUSMwvaUJfsaDrMGSmnL8UAGJJhAqLAdOevE8sRVWWFSy9igsITY8U AOz3JU6/aM+PeU7imKjxBbmHmgxP8vOBqdHgaRksE4lonVxjuYmS91J3H8RgO7Xs Jyo00DKpd9K3wXuy+gKy8YB4mIGxuJlHrSAPnrUgtyNxN/Kkk808+x914KNG6pII xqcnKMagAB3w34ybuXcQUZWWWcMe7iiMTSBepqdqjTnojHk4mnIOikClRyJxJrK0 0BZ4Ab+UtHjypCo+rUoTeP13IGfb+LEwRtNRZV9ljZGPXWa1ylc= =Mp9n -----END PGP SIGNATURE----- --agdksfz2ub7ntrlx--