From: Stephane Chazelas <stephane@chazelas.org>
To: Bart Schaefer <schaefer@brasslantern.com>
Cc: Peter Stephenson <p.w.stephenson@ntlworld.com>,
Zsh hackers list <zsh-workers@zsh.org>
Subject: Re: [PATCH (not final)] (take three?) unset "array[$anything]"
Date: Fri, 4 Jun 2021 21:21:16 +0100 [thread overview]
Message-ID: <20210604202116.gnxqqegfnmki2i57@chazelas.org> (raw)
In-Reply-To: <CAH+w=7ZXkFCJN+n4oxosudicJqNOCCts40xwaX4qW=kg+vrWAg@mail.gmail.com>
2021-06-04 11:36:09 -0700, Bart Schaefer:
> On Fri, Jun 4, 2021 at 1:02 AM Stephane Chazelas <stephane@chazelas.org> wrote:
> >
> > It also means the lexer, a large and complex bit of code whose
> > behaviour also depends on a the setting of a number of options
> > will end up being exposed to user-supplied data (of the users of
> > the zsh scripts, not just the users of zsh), which adds some
> > level of risk.
>
> This remark baffles me. The exact same code is used for ${v/pat/repl}
> among other things, I haven't added any new entry point to the lexer.
But there (and I expect most other contexts where that is used),
the repl is not data supplied by the user of the script, it will
be typically fixed code like $replacement as supplied by the
*author* of the script.
While in:
while IFS=, read -r a b c; do
unset "hash[$b]"
done < data
And with the stripquotes patch, you'd have the *contents* of $b
(from external data), not the literal $b string fed to the lexer
as if it was meant to be zsh code.
[...]
> > Currently we can do (reliably):
> >
> > read 'hash[$key]'
>
> It's unfortunate that this is "reliable" because I'm pretty sure it's
> totally unintentional and should be considered a bug. "read" should
> not be re-interpreting $key in its NAME parameter.
I'd tend to agree with that statement, and it's this kind of
thing that makes things taking lvalues or arithmetic expressions
very dangerous.
As discussed several times (IIRC, Oliver Kiddle brought it up in
2014 in the aftermaths of shellshock).
((x == 1))
or
printf %d x
or
read "array[x]"
are also command injection vulnerabilities for the same kind of
reason. Here for instance when x='psvar[$(reboot)1]' even
though there's probably not a good reason why $(reboot) would be
expanded when x is referenced in an arithmetic expression.
>
> > and can't do (reliably)
> >
> > read "hash[$key]"
>
> That one ought to be reliable if using hash elements here is permitted at all.
>
> > If we align with whatever solution we pick for unset, we're
> > going to break a lot more scripts. I don't think we can touch
> > those at least in the default mode operation.
>
> I don't know how many is "a lot" here
I don't have an answer to that either.
> because frankly this is
> something I would never have thought of attempting in the first place
> (particularly, relying on the buggy behavior of the single-quoted
> case). But I really want to STOP talking about this in the same
> thread as the "unset" question.
Well, it would be good if all those things would be fixed once
and for all and in a consistent way.
There's also the fact that we can't do:
hash['foo bar
baz'$'\n'...]=value
(one needs things like hash[${(pl[1][\n])}]=x to set elements of
key $'\n')
or
array[1 + 1]=4
That is pretty annoying.
Hard to fix without breaking backward portability, but could we
introduce a better design under a new option (setopt
bettersubscriptsandarithmetics), or a "use 6.0" à la perl?
See also https://github.com/ksh93/ksh/issues/152
where Martijn Dekker has done some improvements on that front in
ksh93.
--
Stephane
next prev parent reply other threads:[~2021-06-04 20:21 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-16 21:10 regexp-replace and ^, word boundary or look-behind operators Stephane Chazelas
2019-12-16 21:27 ` Stephane Chazelas
2019-12-17 7:38 ` Stephane Chazelas
2019-12-17 11:11 ` [PATCH] " Stephane Chazelas
2019-12-18 0:22 ` Daniel Shahaf
2019-12-18 8:31 ` Stephane Chazelas
2020-01-01 14:03 ` [PATCH v2] " Stephane Chazelas
2021-04-30 6:11 ` Stephane Chazelas
2021-04-30 23:13 ` Bart Schaefer
2021-05-05 11:45 ` [PATCH v3] regexp-replace and ^, word boundary or look-behind operators (and more) Stephane Chazelas
2021-05-31 0:58 ` Lawrence Velázquez
2021-05-31 18:18 ` Bart Schaefer
2021-05-31 21:37 ` [PATCH] (?) typeset array[position=index]=value Bart Schaefer
2021-06-01 5:32 ` Stephane Chazelas
2021-06-01 16:05 ` Bart Schaefer
2021-06-02 2:51 ` [PATCH] (take two?) typeset array[position=index]=value / unset hash[$stuff] Bart Schaefer
2021-06-02 10:06 ` Stephane Chazelas
2021-06-02 14:52 ` Bart Schaefer
2021-06-02 16:02 ` Stephane Chazelas
2021-06-02 9:11 ` [PATCH] (?) typeset array[position=index]=value Stephane Chazelas
2021-06-02 13:34 ` Daniel Shahaf
2021-06-02 14:20 ` Stephane Chazelas
2021-06-02 15:59 ` Bart Schaefer
2021-06-03 2:04 ` [PATCH (not final)] (take three?) unset "array[$anything]" Bart Schaefer
2021-06-03 2:42 ` Bart Schaefer
2021-06-03 6:12 ` Bart Schaefer
2021-06-03 8:54 ` Peter Stephenson
2021-06-03 13:13 ` Stephane Chazelas
2021-06-03 14:41 ` Peter Stephenson
2021-06-04 19:25 ` Bart Schaefer
2021-06-05 18:18 ` Peter Stephenson
2021-06-09 23:31 ` Bart Schaefer
2021-06-13 16:51 ` Peter Stephenson
2021-06-13 18:04 ` Bart Schaefer
2021-06-13 19:48 ` Peter Stephenson
2021-06-13 21:44 ` Bart Schaefer
2021-06-14 7:19 ` Stephane Chazelas
2021-06-03 18:12 ` Bart Schaefer
2021-06-04 8:02 ` Stephane Chazelas
2021-06-04 18:36 ` Bart Schaefer
2021-06-04 20:21 ` Stephane Chazelas [this message]
2021-06-05 0:20 ` Bart Schaefer
2021-06-05 17:05 ` Stephane Chazelas
2021-06-10 0:14 ` Square brackets in command position Bart Schaefer
2021-06-03 6:05 ` [PATCH (not final)] (take three?) unset "array[$anything]" Stephane Chazelas
2021-06-03 6:43 ` Bart Schaefer
2021-06-03 7:31 ` Stephane Chazelas
2021-06-10 0:21 ` [PATCH] (?) typeset array[position=index]=value Bart Schaefer
2021-06-05 4:29 ` Mikael Magnusson
2021-06-05 5:49 ` Bart Schaefer
2021-06-05 11:06 ` Mikael Magnusson
2021-06-05 16:22 ` Bart Schaefer
2021-06-18 10:53 ` Mikael Magnusson
2024-03-08 15:30 ` [PATCH v3] regexp-replace and ^, word boundary or look-behind operators (and more) Stephane Chazelas
2024-03-09 8:41 ` [PATCH v5] " Stephane Chazelas
2024-03-09 9:21 ` MBEGIN when =~ finds bytes inside characters (Was: [PATCH v5] regexp-replace and ^, word boundary or look-behind operators (and more).) Stephane Chazelas
2024-03-09 13:03 ` [PATCH v3] regexp-replace and ^, word boundary or look-behind operators (and more) Stephane Chazelas
2024-03-10 19:52 ` [PATCH v6] " Stephane Chazelas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210604202116.gnxqqegfnmki2i57@chazelas.org \
--to=stephane@chazelas.org \
--cc=p.w.stephenson@ntlworld.com \
--cc=schaefer@brasslantern.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).