From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham
	autolearn_force=no version=3.4.4
Received: (qmail 17389 invoked from network); 30 Apr 2021 06:51:41 -0000
Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368)
  by inbox.vuxu.org with ESMTPUTF8; 30 Apr 2021 06:51:41 -0000
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20200801; t=1619765501;
	 b=gGC4K0g6rcs+bjOlQOLwVa4GSYtc758zKPYLmTB9lCDDq91SY7KksJBMa1Ml9YRnSXMJliRK/2
	  di2CUjx8GTgg8+/tiECYvVXxrO5X4XgnhmzEg2Zv7sVZyIO6GOMrJ2opA86k86SPDjHs1AVMPO
	  OGQfUaayHexsWXrOK2PhlqxQ49Xpy8F6lZxK3MPkzJUSM2DCCspctsAMhi6RHkISw2bDxFczkr
	  m7W0mZ7yv4GZGGw+ajD8/EcECGg+TTQ06+FZjAur9vsg/CIvxNYKfZzUyktgIRoP5XGfMGpUyw
	  4TwAoUcZsMsedISKFv3hV/ZBDQ1cW1MymPQyYNp6klyTZw==;
ARC-Authentication-Results: i=1; zsh.org;
	iprev=pass (relay6-d.mail.gandi.net) smtp.remote-ip=217.70.183.198;
	dmarc=none header.from=chazelas.org;
	arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20200801; t=1619765501;
	bh=B9525/bWj+JNpTczFldJF2NeRh3SlQKltrnXWBLDadk=;
	h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help:
	  List-Id:Sender:In-Reply-To:Content-Type:MIME-Version:References:Message-ID:
	  Subject:Cc:To:From:Date:DKIM-Signature;
	b=L903VkBN7uc+ZAS75ioPQ8I3heV9ELh0Ri8Wkjscg6SLMY3ZpZxvRPoCzeVk3tV/ybDuVEt5Ky
	  ++03rKvIWmz1rw0QB03v3RrlRHraR5DbJhQ91lmTqR333+qtNXXX6Yds+LYxevyStD1rQAu1fR
	  QhSumwg1MgDtTE+vBqGXUxC7voPtuGDOlyJcmE+dlAX+tt/NYC3qhRQCz6pg8mV842auelojpi
	  gEZS4et0gSN+f8LcFDGQeDxDWEcUSKR1PjUOJbd6oFm6IXVaYNh9Q9x2JaOcthfRGPfe5MOhkD
	  O3oxDNV4ciZAIJ38ZBudh2jO5JSKA4WTH6T80WAZYk9uIQ==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org;
	s=rsa-20200801; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:
	List-Subscribe:List-Help:List-Id:Sender:In-Reply-To:Content-Type:MIME-Version
	:References:Message-ID:Subject:Cc:To:From:Date:Reply-To:
	Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID;
	bh=AWVK4nDKYf0dphWVE3P2u2Ihd2s1X0A1qzxaFSJ5Rh0=; b=tvbbHCoJscV4K03aB/u2+v1YKQ
	gd5VyNPFXrGmSmxJcyw3ZZ5pP9ZUioS20ejXZvHskjBtpFZcAylc3AkJSw3gTRUxq/VXDIsMfJrsK
	edfDEVFTMZNuhex6/aVIvYz0gVOIdnTkLe/YFSsuCfx2e/+I5tdVBYoAnrsxGP1Szh+9jBao02atd
	GjFdfBWEeYl5y6O3FyYpBHgqtF9fAtJ/6nyqjzDv4i75MHT78uSb63vop10hzDt9vMBFOgdUxQ7tJ
	3DOu+TiXzVbAJnnkcr55spZ9W1iyo9D7kwPbGoXGl9H+LqikZRaTDr8Uub1TwY0KRrivAnaSqUwPr
	SL7T+2ag==;
Received: from authenticated user by zero.zsh.org with local 
	id 1lcN00-000AG0-Vs; Fri, 30 Apr 2021 06:51:41 +0000
Authentication-Results: zsh.org;
	iprev=pass (relay6-d.mail.gandi.net) smtp.remote-ip=217.70.183.198;
	dmarc=none header.from=chazelas.org;
	arc=none
Received: from relay6-d.mail.gandi.net ([217.70.183.198]:42663)
	by zero.zsh.org with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	id 1lcMzl-000A39-0J; Fri, 30 Apr 2021 06:51:25 +0000
X-Originating-IP: 90.215.204.106
Received: from chazelas.org (unknown [90.215.204.106])
	(Authenticated sender: stephane@chazelas.org)
	by relay6-d.mail.gandi.net (Postfix) with ESMTPSA id 5989DC0008;
	Fri, 30 Apr 2021 06:51:24 +0000 (UTC)
Date: Fri, 30 Apr 2021 07:51:23 +0100
From: Stephane Chazelas <stephane@chazelas.org>
To: Jacob Menke <linux.dev25@gmail.com>
Cc: zsh-workers@zsh.org
Subject: Re: Bug in Functions/Misc/regexp-replace
Message-ID: <20210430065123.zjq2mpanmtbkkgfl@chazelas.org>
Mail-Followup-To: Jacob Menke <linux.dev25@gmail.com>, zsh-workers@zsh.org
References: <CAB5oL3Z4m+vYsGLzkAqw62o3RbUy+N5HpgbBuLn_kK99YPNjDg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAB5oL3Z4m+vYsGLzkAqw62o3RbUy+N5HpgbBuLn_kK99YPNjDg@mail.gmail.com>
X-Seq: 48748
Archived-At: <https://zsh.org/workers/48748>
X-Loop: zsh-workers@zsh.org
Errors-To: zsh-workers-owner@zsh.org
Precedence: list
Precedence: bulk
Sender: zsh-workers-request@zsh.org
X-no-archive: yes
List-Id: <zsh-workers.zsh.org>
List-Help: <mailto:sympa@zsh.org?subject=help>
List-Subscribe: <mailto:sympa@zsh.org?subject=subscribe%20zsh-workers>
List-Unsubscribe: <mailto:sympa@zsh.org?subject=unsubscribe%20zsh-workers>
List-Post: <mailto:zsh-workers@zsh.org>
List-Owner: <mailto:zsh-workers-request@zsh.org>
List-Archive: <http://www.zsh.org/sympa/arc/zsh-workers>

2021-04-29 19:53:52 -0400, Jacob Menke:
[...]
> regexp-replace str 'a' 'z' && echo $str
> 
> Actual Output:
> (eval):1: bzd not found
> 
> Expected:
> x :=bzd
[...]

One might argue there's a problem with the (q) parameter
expansion flag, it escapes leading =s but not the =s that follow
: even though they're special there in assignments.

$ echo a=x:=y
a=x:=y
$ a=x:=y
zsh: y not found

BTW, zsh is the only shell where ~ is expanded in:

$ zsh -c 'a=a\:~; echo $a'
a:/home/chazelas

[...]
> One way to fix:
> 41: eval ${1}=${(qqq)5}

The safest quoting operator is the (qq) one. I wouldn't use any
other for things to be reinput to the shell.

See
https://unix.stackexchange.com/questions/379181/escape-a-variable-for-use-as-content-of-another-script/600214#600214
for details on that.

In particular qqq uses double quotes inside which \ and ` are
still special and those characters also appear in the encoding
of some other characters in some locales.

But here, the best thing to do is to not expose the parser to
the contents of $5 by doing:

eval "$1=\$5"

(which tells the shell to evaluate varname=$5)

You need to expand $1 here which contains the variable name.

Note that as already noted at
https://www.zsh.org/mla/workers/2019/msg01113.html
whether you use that or

: ${(P)1::="$5"}

You'll still have a command injection vulnerability if $1 is not
guaranteed to be a variable name.

-- 
Stephane