From: Stephane Chazelas <stephane@chazelas.org>
To: Jacob Menke <linux.dev25@gmail.com>
Cc: zsh-workers@zsh.org
Subject: Re: Bug in Functions/Misc/regexp-replace
Date: Fri, 30 Apr 2021 07:51:23 +0100 [thread overview]
Message-ID: <20210430065123.zjq2mpanmtbkkgfl@chazelas.org> (raw)
In-Reply-To: <CAB5oL3Z4m+vYsGLzkAqw62o3RbUy+N5HpgbBuLn_kK99YPNjDg@mail.gmail.com>
2021-04-29 19:53:52 -0400, Jacob Menke:
[...]
> regexp-replace str 'a' 'z' && echo $str
>
> Actual Output:
> (eval):1: bzd not found
>
> Expected:
> x :=bzd
[...]
One might argue there's a problem with the (q) parameter
expansion flag, it escapes leading =s but not the =s that follow
: even though they're special there in assignments.
$ echo a=x:=y
a=x:=y
$ a=x:=y
zsh: y not found
BTW, zsh is the only shell where ~ is expanded in:
$ zsh -c 'a=a\:~; echo $a'
a:/home/chazelas
[...]
> One way to fix:
> 41: eval ${1}=${(qqq)5}
The safest quoting operator is the (qq) one. I wouldn't use any
other for things to be reinput to the shell.
See
https://unix.stackexchange.com/questions/379181/escape-a-variable-for-use-as-content-of-another-script/600214#600214
for details on that.
In particular qqq uses double quotes inside which \ and ` are
still special and those characters also appear in the encoding
of some other characters in some locales.
But here, the best thing to do is to not expose the parser to
the contents of $5 by doing:
eval "$1=\$5"
(which tells the shell to evaluate varname=$5)
You need to expand $1 here which contains the variable name.
Note that as already noted at
https://www.zsh.org/mla/workers/2019/msg01113.html
whether you use that or
: ${(P)1::="$5"}
You'll still have a command injection vulnerability if $1 is not
guaranteed to be a variable name.
--
Stephane
next prev parent reply other threads:[~2021-04-30 6:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-29 23:53 Jacob Menke
2021-04-30 0:40 ` Matthew Martin
2021-04-30 5:56 ` Stephane Chazelas
2021-04-30 6:51 ` Stephane Chazelas [this message]
2021-04-30 8:17 ` tilde expansion after quoted : in assignments Stephane Chazelas
2021-04-30 17:43 ` Bart Schaefer
2021-04-30 20:13 ` Bug in Functions/Misc/regexp-replace Jacob Menke
2021-04-30 21:22 ` Bart Schaefer
2021-04-30 20:43 ` Bart Schaefer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210430065123.zjq2mpanmtbkkgfl@chazelas.org \
--to=stephane@chazelas.org \
--cc=linux.dev25@gmail.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).