From: Stephane Chazelas <stephane@chazelas.org>
To: Philippe Altherr <philippe.altherr@gmail.com>
Cc: zsh-workers@zsh.org, Bart Schaefer <schaefer@brasslantern.com>
Subject: Re: Get cursor position (Was: [bug report] prompt can erase messages written on the terminal by background processes)
Date: Sun, 11 Dec 2022 18:00:53 +0000 [thread overview]
Message-ID: <20221211180053.uzl5ejko45ks3bip@chazelas.org> (raw)
In-Reply-To: <CAGdYchvNLkmDcPWRXrrmH6r7qZUt8PojXpVcZSagiRMDUVx9Wg@mail.gmail.com>
2022-12-09 13:46:21 +0100, Philippe Altherr:
[...]
> assign() {
> > print -v "$1" "$2"
> > }
[...]
Note that that "assign" function has a command injection
vulnerability.
Even more so than for other commands, -- (- also works) should
always be used for "print" to separate options from non-options
at least when the first non-option argument is not guaranteed
not to start with - or +.
Try for instance:
assign var '-va[1$(reboot)]'
So:
assign() print -rv "$1" -- "$2"
Or the Bourne-compatible:
assign() eval "$1=\$2"
Or POSIX:
assign() { eval "$1=\$2"; }
A bit ironic that people often go to great lengths to avoid
using "eval" but end up coming up with unsafe solutions.
--
Stephane
next prev parent reply other threads:[~2022-12-11 18:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-07 19:02 [bug report] prompt can erase messages written on the terminal by background processes Millian Poquet
2022-12-07 22:55 ` Roman Perepelitsa
2022-12-08 3:46 ` Bart Schaefer
2022-12-08 8:21 ` Get cursor position (Was: [bug report] prompt can erase messages written on the terminal by background processes) Stephane Chazelas
2022-12-08 8:34 ` Roman Perepelitsa
2022-12-08 10:02 ` Stephane Chazelas
2022-12-08 10:10 ` Stephane Chazelas
2022-12-08 10:19 ` Mikael Magnusson
2022-12-09 2:19 ` Bart Schaefer
2022-12-09 12:46 ` Philippe Altherr
2022-12-10 4:30 ` Bart Schaefer
2022-12-10 14:55 ` Private variables not private enough? (Was: Get cursor position (Was: [bug report] prompt can erase messages written on the terminal by background processes)) Philippe Altherr
2022-12-10 17:36 ` Bart Schaefer
2022-12-10 20:38 ` Bart Schaefer
2022-12-11 18:00 ` Stephane Chazelas [this message]
2022-12-09 1:39 ` Get cursor position (Was: [bug report] prompt can erase messages written on the terminal by background processes) Bart Schaefer
2022-12-08 8:45 ` [bug report] prompt can erase messages written on the terminal by background processes Roman Perepelitsa
2022-12-08 15:03 ` Oliver Kiddle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221211180053.uzl5ejko45ks3bip@chazelas.org \
--to=stephane@chazelas.org \
--cc=philippe.altherr@gmail.com \
--cc=schaefer@brasslantern.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).