From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED autolearn=ham autolearn_force=no
	version=3.4.4
Received: (qmail 20435 invoked from network); 11 Dec 2022 18:01:43 -0000
Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368)
  by inbox.vuxu.org with ESMTPUTF8; 11 Dec 2022 18:01:43 -0000
ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1670781703;
	 b=fPPLJLWYGcy9MjZFlmym2j1S4lBRqozF+BXwCDLrXlZumG+sAYFJ0cRaKDTXXGxh6RNaCCPxam
	  QJl5FfWmyXs90C9gJxWn7o7w7dE73PmsDxUZYr1+A/Y2JHVmsf1FmgZfVXEoMPX3ErTdPF9mSR
	  ulqAqnxxuFEhIIb2dN5KOh2MOXHQ0xRac5GW5Z4ve+PPTt10cOb9d2sKituiR17/WzK/LGCPBi
	  Pby6U+frqrlhygKgsM1D/g4HD191CRZNXVUxHu2iLduDmrRqsmc9HkAai3Dhq+7Lk4dJchDMy/
	  VE2kZ7MYJO6Pg9Pb3qybJI3OScCZjliZW79FUKftiKynaQ==;
ARC-Authentication-Results: i=1; zsh.org;
	iprev=pass (relay11.mail.gandi.net) smtp.remote-ip=217.70.178.231;
	dmarc=none header.from=chazelas.org;
	arc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1670781703;
	bh=18yE95CSHUcnF2uKwQQo2jYrcoLasXK+EoJTRNuk1UI=;
	h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help:
	  List-Id:Sender:In-Reply-To:Content-Type:MIME-Version:References:Message-ID:
	  Subject:Cc:To:From:Date:DKIM-Signature;
	b=W/aPkbayHdqaJgU12HJxcTJnZN6X8PzbwaS3YC8T+kN6735fMxIHbisEu98Yqd+1bbheRfNNyc
	  J9TJtcpQRfoUphFZChhol5+QflLASZeLFUSBxbH/iQgTWkQILWrKRmi/VWZYXBwh61ejoVKXbQ
	  gVJ+SYLZ5bVqKc9B9Ob+9Wa853jv4p4hRcHHNUHMQaNKTZ199L1o/I1DWqOBN4zEluGxwCLers
	  0HrGVA/ogOT0i4eDrm5RfnQS/ZZVc8rrnrv6aZ6Zt5hTsl/aviqeTEt+dIHsO0ZwoIaX48Qga3
	  K19M6+FtBJNyy+pXFsy/TMjgRdzjmhUys/dpBVfN9QRYPw==;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org;
	s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:
	List-Subscribe:List-Help:List-Id:Sender:In-Reply-To:Content-Type:MIME-Version
	:References:Message-ID:Subject:Cc:To:From:Date:Reply-To:
	Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID;
	bh=qa+RkziccD868pKZtEnjEzFf+cUH/BM8fwKT9c1f/j8=; b=rkxVkNLadHpt192p8T3nKZzeMe
	mxzA9vbpr8ctM9PwiNN0DY5m2dMb9q5BukGF9AY4WhwlwPBH0sivVC4+c3z7c4TzkSVZKHsdhqALv
	CmnA0rpT1nJjLXQt0i5Uqc5xdCtUj1PRYl7fueF9kWCDlzqtEh1MvHFf2NMpXEG+AclqBaDKC512i
	CAumMpDd5m0U5qTiXX0XgFyLPB0t+Olnx+MRtT6AcU5q1gGsEdyLwLl6uwBEi1VPy64yHTp8Lmhht
	McJyppICQrwsUftiQYZpJv8mHKxFRW5P4VQ8VG5py68VA/4KLpCd/yjF4S+5/iJTJZSxeO1EtdbmF
	hiA0GEeQ==;
Received: by zero.zsh.org with local
	id 1p4Qdz-0000WG-7T;
	Sun, 11 Dec 2022 18:01:43 +0000
Authentication-Results: zsh.org;
	iprev=pass (relay11.mail.gandi.net) smtp.remote-ip=217.70.178.231;
	dmarc=none header.from=chazelas.org;
	arc=none
Received: from relay11.mail.gandi.net ([217.70.178.231]:45243)
	by zero.zsh.org with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	id 1p4QdF-0000BA-1E;
	Sun, 11 Dec 2022 18:00:57 +0000
Received: (Authenticated sender: stephane@chazelas.org)
	by mail.gandi.net (Postfix) with ESMTPSA id A3205100003;
	Sun, 11 Dec 2022 18:00:54 +0000 (UTC)
Date: Sun, 11 Dec 2022 18:00:53 +0000
From: Stephane Chazelas <stephane@chazelas.org>
To: Philippe Altherr <philippe.altherr@gmail.com>
Cc: zsh-workers@zsh.org, Bart Schaefer <schaefer@brasslantern.com>
Subject: Re: Get cursor position (Was: [bug report] prompt can erase messages
 written on the terminal by background processes)
Message-ID: <20221211180053.uzl5ejko45ks3bip@chazelas.org>
Mail-Followup-To: Philippe Altherr <philippe.altherr@gmail.com>,
	zsh-workers@zsh.org, Bart Schaefer <schaefer@brasslantern.com>
References: <9e3026aa-39a1-dd50-4d29-a64724d4eaaf@irit.fr>
 <CAN=4vMq2kc1cSV_0N-c6o32C3UR3hVSjE3mF+kV4pjcy7YR9=g@mail.gmail.com>
 <CAH+w=7aDn7SCv4Bao7ZQqtUaEv8EkvBXa15kM_nkF_GHLAcSFg@mail.gmail.com>
 <20221208082103.zg44mrv77jrizsaj@chazelas.org>
 <CAN=4vMrSO99rKMGhmO_yjtqYLUf+senu=Lhb=F47a9S6y8d7Hw@mail.gmail.com>
 <20221208100215.k2qcqdqgjlzwbdh7@chazelas.org>
 <CAH+w=7aUz2FFiUPn3tma__hW=pK05whjrU+_g9rBAnsDz_LMHA@mail.gmail.com>
 <CAGdYchvNLkmDcPWRXrrmH6r7qZUt8PojXpVcZSagiRMDUVx9Wg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAGdYchvNLkmDcPWRXrrmH6r7qZUt8PojXpVcZSagiRMDUVx9Wg@mail.gmail.com>
X-Seq: 51186
Archived-At: <https://zsh.org/workers/51186>
X-Loop: zsh-workers@zsh.org
Errors-To: zsh-workers-owner@zsh.org
Precedence: list
Precedence: bulk
Sender: zsh-workers-request@zsh.org
X-no-archive: yes
List-Id: <zsh-workers.zsh.org>
List-Help: <http://www.zsh.org/sympa/help>, <mailto:sympa@zsh.org?subject=HELP>
List-Subscribe: <http://www.zsh.org/sympa/subscribe/zsh-workers>, <mailto:sympa@zsh.org?subject=SUB%20zsh-workers>
List-Unsubscribe: <http://www.zsh.org/sympa/signoff/zsh-workers>, <mailto:sympa@zsh.org?subject=SIG%20zsh-workers>
List-Post: <mailto:zsh-workers@zsh.org>
List-Owner: <mailto:zsh-workers-request@zsh.org>
List-Archive: <http://www.zsh.org/sympa/arc/zsh-workers>

2022-12-09 13:46:21 +0100, Philippe Altherr:
[...]
> assign() {
> >     print -v "$1" "$2"
> > }
[...]

Note that that "assign" function has a command injection
vulnerability.

Even more  so than for other  commands, -- (- also works) should
always be used for "print" to separate options from non-options
at least when the first non-option argument is not guaranteed
not to start with - or +.

Try for instance:

assign var '-va[1$(reboot)]'

So:

assign() print -rv "$1" -- "$2"

Or the Bourne-compatible:

assign() eval "$1=\$2"

Or POSIX:

assign() { eval "$1=\$2"; }

A bit ironic that people often go to great lengths to avoid
using "eval" but end up coming up with unsafe solutions.

-- 
Stephane