zsh-workers
 help / color / Atom feed
From: Peter Stephenson <p.w.stephenson@ntlworld.com>
To: zsh-workers@zsh.org
Subject: Re: [BUG] Two vulnerabilities in zsh
Date: Fri, 22 May 2020 22:47:58 +0100
Message-ID: <70e0d7c11f064b4f52354e20fba6541cb25d89d9.camel@ntlworld.com> (raw)
In-Reply-To: <caf94264beca79b390e226a971864b4947b0e501.camel@ntlworld.com>

On Fri, 2020-05-22 at 19:56 +0100, Peter Stephenson wrote:
> On Wed, 2020-05-20 at 00:45 +0000, Daniel Shahaf wrote:
> > Peter Stephenson wrote on Tue, 19 May 2020 21:38 +0100:
> > > The BUG message simplifies to this:
> > > 
> > > (127)9:32% zsh -fc '$\
> > > ('
> > > 1: BUG: parse error in command substitution
> > > zsh:1: no such file or directory: pws/.
> > > 
> > > The other output shows it's doing something it shouldn't even if there
> > > isn't a crash as a result.  Adding a command in front does produce a
> > > crash.
> > > 
> > > I think the backslashed newline is valid, and it looks like it's usually
> > > correctly handled; apparently its presence is disguising the bad input
> > > in this case.
> > 
> > Test cases:
> 
> This seems to be doing the right thing.

Enhanced version: this handles the bizarre but valid

echo $(\
(3+2))

and adds a few tests for cases without a parse error.

pws

diff --git a/Src/lex.c b/Src/lex.c
index a541defe6..9d29c1bc1 100644
--- a/Src/lex.c
+++ b/Src/lex.c
@@ -541,6 +541,16 @@ cmd_or_math_sub(void)
 {
     int c = hgetc(), ret;
 
+    if (c == '\\') {
+	c = hgetc();
+	if (c != '\n') {
+	    hungetc(c);
+	    hungetc('\\');
+	    return skipcomm() ? CMD_OR_MATH_ERR : CMD_OR_MATH_CMD;
+	}
+	c = hgetc();
+    }
+
     if (c == '(') {
 	int lexpos = (int)(lexbuf.ptr - tokstr);
 	add(Inpar);
@@ -1237,6 +1247,19 @@ gettokstr(int c, int sub)
 	case LX2_BKSLASH:
 	    c = hgetc();
 	    if (c == '\n') {
+		if (lexbuf.len && !lexstop &&
+		    (lexbuf.ptr[-1] == String ||
+		     lexbuf.ptr[-1] == Qstring))
+		{
+		    /*
+		     * $-prefixed expression interrupted by \\\n.
+		     * This is valid --- reparse.
+		     */
+		    --lexbuf.len;
+		    --lexbuf.ptr;
+		    c = '$';
+		    continue;
+		}
 		c = hgetc();
 		if (!lexstop)
 		    continue;
diff --git a/Test/D04parameter.ztst b/Test/D04parameter.ztst
index 6d2dd0d99..b0b53c7d0 100644
--- a/Test/D04parameter.ztst
+++ b/Test/D04parameter.ztst
@@ -2662,7 +2662,25 @@ F:behavior, see http://austingroupbugs.net/view.php?id=888
 -f:regression test for workers/45843#1
 ?(eval):1: bad substitution
 
-# Temporarily using the 'D' flag because it generates a "BUG:" message in
-# debug builds only.
  $ZTST_testdir/../Src/zsh -fc $'$\\\n('
-1Df:regression test for workers/45843#2: escaped newline in command substitution start token
+1f:regression test for workers/45843#2: escaped newline in command substitution start token
+?(eval):1: parse error near `$('
+
+# `
+
+ eval $'echo $\\\n(printf "%d\\n" $(( 4 + 2 )) )'
+0:Normal command substitution with escaped newline
+>6
+
+ eval $'echo $\\\n(( 14 / 2 ))'
+0:Normal math eval with escaped newline after $
+>7
+
+ eval $'echo $(\\\n( 15 / 3 ))'
+0:Normal math eval with escaped newline after $(
+>5
+
+  function '*' { echo What a star; }
+  eval 'echo $(\*)'
+0:Backslash character other than newline is normal after $(
+>What a star


  reply index

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-19  6:48 Aaron Esau
2020-05-19 17:04 ` Daniel Shahaf
2020-05-19 20:38   ` Peter Stephenson
2020-05-20  0:45     ` Daniel Shahaf
2020-05-22 18:56       ` Peter Stephenson
2020-05-22 21:47         ` Peter Stephenson [this message]
2020-05-23  2:17           ` Daniel Shahaf
2020-05-23 16:45             ` Peter Stephenson
2020-05-20  0:40 ` [BUG] Two vulnerabilities in zsh - #1 :: null dereference in check_colon_subscript in subst.c Daniel Shahaf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=70e0d7c11f064b4f52354e20fba6541cb25d89d9.camel@ntlworld.com \
    --to=p.w.stephenson@ntlworld.com \
    --cc=zsh-workers@zsh.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

zsh-workers

Archives are clonable: git clone --mirror http://inbox.vuxu.org/zsh-workers

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.zsh.workers


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git