Re: arithmetic expression from outside

zsh-workers
 help / color / mirror / code / Atom feed

From: Stephane Chazelas <stephane.chazelas@gmail.com>
To: zsh-workers@zsh.org
Subject: Re: arithmetic expression from outside
Date: Thu, 5 Sep 2019 20:49:13 +0100	[thread overview]
Message-ID: <20190905194913.2lc3az7obp2uem7i@chaz.gmail.com> (raw)
In-Reply-To: <CAH+w=7a_Av6w58cMXOw8CoOunAAfr--xnWHis8i6woHDphwH6A@mail.gmail.com>

2019-09-05 11:22:53 -0700, Bart Schaefer:
[...]
> % N='sum[$(echo Hello, world!>&2)]' bash -c 'echo $((N))'
> Hello, world!
> 0
> 
> Zsh at least does not do that with parameters from the environment,
> although I'm not exactly sure what prevents it.

It does, but the variable has to be an array:

$ N='psvar[$(echo Hello, world!>&2)]' zsh -c 'echo $((N))'
Hello, world!
zsh:1: bad math expression: empty string

See also
https://unix.stackexchange.com/questions/172103/security-implications-of-using-unsanitized-data-in-shell-arithmetic-evaluation

That's regularly reported as a security vulnerability or at
least a misfeature that causes security vulnerabilities (to bash
and zsh at least; first time I heard about it was from Oliver
Kiddle here shortly after shellshock) and I agree it is.

It would be nice if something could be done about it, but I'm
not sure there's an easy solution other than redesigning a new
arithmetic expression parsing from scratch.

POSIX gets in the way because it requires $(($1)) to be done in
two steps: first expansion of $1 and then evaluation of the
expression resulting from that expansion (so with a value like
PATH=7734, you get a nasty side effect even with dash or other
shells that don't have extensions over the standard).

I'm not sure we can do anything safe without coming up with a
completely new, incompatible and pretty limited syntax.

-- 
Stephane

next prev parent reply	other threads:[~2019-09-05 19:50 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-09-05  8:49 YAMAGUCHI Takanori
2019-09-05 18:22 ` Bart Schaefer
2019-09-05 19:49   ` Stephane Chazelas [this message]
2019-09-06  5:48   ` YAMAGUCHI Takanori
2019-09-07 12:01   ` Daniel Shahaf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190905194913.2lc3az7obp2uem7i@chaz.gmail.com \
    --to=stephane.chazelas@gmail.com \
    --cc=zsh-workers@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.vuxu.org/mirror/zsh/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).