From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 9167 invoked from network); 30 Apr 2021 20:14:14 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 30 Apr 2021 20:14:14 -0000 ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20200801; t=1619813654; b=qwTTrdgpX00L4hXxT19GNEt0s19IYzLH2Xy81pzKKVkQJ5pLdd3emzEsArrGrn0h4frKwNmpv2 Y60LVJ93TJ136VZe6kBdHXDvqF2mdtGxVBX06bORfqsz1/JPSDccnGTnkC3LmB+PkYIiO7PCLQ iz59GXFjGeYhf8Edjys44ZwuL/GywutD3C81+5PwvLJe5vO3jO8uWyXaN/CxsXwudq6nQ6VvoC 8qgA2GkctJLzgVHB+OTVZlp1m5RmGXxyRflmpTdKKzN8WcunmUiNIswr+wayvn+HtqNFXCiHMP Sk96nL8YS3LT7EwuFO5wV3Yf2Gox908co2S2IlXdxDc+BA==; ARC-Authentication-Results: i=1; zsh.org; iprev=pass (mail-ua1-f54.google.com) smtp.remote-ip=209.85.222.54; dkim=pass header.d=gmail.com header.s=20161025 header.a=rsa-sha256; dmarc=pass header.from=gmail.com; arc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20200801; t=1619813654; bh=qUFWRE+0jqvx+65BOLBgfiEPog+eG4Uppa2AebS3yLs=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:DKIM-Signature:DKIM-Signature; b=rrX56hrYOnn6A5lZ+1hK536FjH9hh8afI35ovzxIPvi6AC/mwRBdc+V8fcD4f8Jw455httPDwP 8pn/+fCB4wbabSI6YF6S9mMCZrO706QFF8Wgc2MeJFEoZY4hNxVTbz/H6mvGezS0CDa6Ut1hsT yMoDJaM2mVBLvHJ6/L1dUb2+LxZncKrmDeLoejjAGMVsfmT6o8G7XoBDbXRwSaX8Wb4ORWxy5e JtPOJRX2W2tDQt5t0FFe/5Y9Ky0JtQWl6aRouw3fCgnF0V8x4bUOvzfPG2G5zk7rDOHVjqf+gG MQjkHdgKXdwj1qbygvlfDRV2Y/2m8N/QfrnJgqc9G2pA4Q==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20200801; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:Content-Type:Cc:To:Subject:Message-ID :Date:From:In-Reply-To:References:MIME-Version:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=qUFWRE+0jqvx+65BOLBgfiEPog+eG4Uppa2AebS3yLs=; b=r8Ynew6VIzY3loYEB3bmGtQjre Y64GZV4TRhSlg2ktSzi2DrANI9XfO4KaK2+Af3d9CVl/yC9FrgWmiMpOPMZgsuWr3u/Kfm7+hb9Cy ioxrMZtmVZ8kbGVz+Y5LdqVXDCwMA8QeCjJ3Nvuz7U5PswrX2T4LrG1KdLffUPXPMz5LUR/5bigaF 6rog6U/jLQ7/UkX7yxpemQ6UvVj/Iwih0C7RVVhDyBJq7QwQY5jiaBExB4QBTrJEyoxtSCqhIdFy4 DOoodgD83zD1ZxFjzId8K3E41wOFQCuea72f0Wo9zbee2TuQVDbLYK0c4zzBS24/5Y4enHFq0TnMt 8ryneBWw==; Received: from authenticated user by zero.zsh.org with local id 1lcZWf-0007TL-Rj; Fri, 30 Apr 2021 20:14:13 +0000 Authentication-Results: zsh.org; iprev=pass (mail-ua1-f54.google.com) smtp.remote-ip=209.85.222.54; dkim=pass header.d=gmail.com header.s=20161025 header.a=rsa-sha256; dmarc=pass header.from=gmail.com; arc=none Received: from mail-ua1-f54.google.com ([209.85.222.54]:43626) by zero.zsh.org with esmtps (TLS1.3:TLS_AES_128_GCM_SHA256:128) id 1lcZWQ-0007GL-6v; Fri, 30 Apr 2021 20:13:58 +0000 Received: by mail-ua1-f54.google.com with SMTP id 72so5064075uaq.10 for ; Fri, 30 Apr 2021 13:13:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qUFWRE+0jqvx+65BOLBgfiEPog+eG4Uppa2AebS3yLs=; b=Yj4tqatXZSFX4OCgZ+mg8FnXJ4dqI8nczmYEuWtiUs0QYRlrNhNy+5Gv+JCZZc5El7 iKzOavXvJbny26PhI7nb8UwodY5GeKO8ymPH/SACGztKdA0js037W1LUk/XS4mGXdGKH fWBwhRkZQih+r2Alz7mkWgoE4jYAitnfy0Al8A81/6l10Yo3SPf/P+1M15+WZVmM1The CUCSkBSbajdoZFE2AZjniH1obpg8b98L5tu8CV5abuRPVXDbBm3v75zSOpPrdSni6PTx dZev5IBro3NLD/V0xucnQxVbn+orw867eeI4w2Ra965i6LUGCBdEoTkVnj6yj6rktQoZ FXEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qUFWRE+0jqvx+65BOLBgfiEPog+eG4Uppa2AebS3yLs=; b=fAzjN+p+naVQDuhUnW9jewBKQ6Hh2ycW+6Z3nRgJx7u8dWTNMbR6H2I/MiZUF/aiWL U6jasbbRwpo4h6tVKnmWCpIioFmEviu/loBbx7dK7UMCKiokhFofyZmU9LA9XHAkLkfF uOnD982gH9UcLf8xYm9DteXD4fuvkfLwyZE/gjNlwMtNxwIfDnNj+ESRVuWEy0LYoTwN 97y8UC6WeuCoNntKGLAOjkn3x9CfLhRBmAECGxOsLneDRoNWFX7wgJUmN/1qfXFHnWNk ko8s6vwbSUJnVhP6s5uW9QYeyMQVD6Gflx/pgeI9QKDMps1yrv+AqQ7IjWQGR5/neaqj VBRA== X-Gm-Message-State: AOAM532rRCxAKSqqoVT1MUl+Bq27wvF4PnuHSCCC+7H3NhZthRASo4G/ 34g0fWPDbSS1Pcoqv8vW04URKZZcREscOZBgBus= X-Google-Smtp-Source: ABdhPJxaSD9zB7FjOLvZkJ92A8qqBG+ueo5qu33S82cO5Y4rQT7Dk7vU0LIba2dBwb4/hmyK94DWv9IzJYwUsuLl9qs= X-Received: by 2002:ab0:6043:: with SMTP id o3mr7045567ual.117.1619813636986; Fri, 30 Apr 2021 13:13:56 -0700 (PDT) MIME-Version: 1.0 References: <20210430065123.zjq2mpanmtbkkgfl@chazelas.org> In-Reply-To: <20210430065123.zjq2mpanmtbkkgfl@chazelas.org> From: Jacob Menke Date: Fri, 30 Apr 2021 16:13:46 -0400 Message-ID: Subject: Re: Bug in Functions/Misc/regexp-replace To: Jacob Menke , stephane@chazelas.org Cc: zsh-workers@zsh.org Content-Type: multipart/alternative; boundary="0000000000006f5b1505c1364037" X-Seq: 48756 Archived-At: X-Loop: zsh-workers@zsh.org Errors-To: zsh-workers-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-workers-request@zsh.org X-no-archive: yes List-Id: List-Help: List-Subscribe: List-Unsubscribe: List-Post: List-Owner: List-Archive: --0000000000006f5b1505c1364037 Content-Type: text/plain; charset="UTF-8" Awesome, thanks for the expert response! I vote for eval "$1=\$5" Jacob On Fri, 30 Apr 2021 at 02:51, Stephane Chazelas wrote: > 2021-04-29 19:53:52 -0400, Jacob Menke: > [...] > > regexp-replace str 'a' 'z' && echo $str > > > > Actual Output: > > (eval):1: bzd not found > > > > Expected: > > x :=bzd > [...] > > One might argue there's a problem with the (q) parameter > expansion flag, it escapes leading =s but not the =s that follow > : even though they're special there in assignments. > > $ echo a=x:=y > a=x:=y > $ a=x:=y > zsh: y not found > > BTW, zsh is the only shell where ~ is expanded in: > > $ zsh -c 'a=a\:~; echo $a' > a:/home/chazelas > > [...] > > One way to fix: > > 41: eval ${1}=${(qqq)5} > > The safest quoting operator is the (qq) one. I wouldn't use any > other for things to be reinput to the shell. > > See > > https://unix.stackexchange.com/questions/379181/escape-a-variable-for-use-as-content-of-another-script/600214#600214 > for details on that. > > In particular qqq uses double quotes inside which \ and ` are > still special and those characters also appear in the encoding > of some other characters in some locales. > > But here, the best thing to do is to not expose the parser to > the contents of $5 by doing: > > eval "$1=\$5" > > (which tells the shell to evaluate varname=$5) > > You need to expand $1 here which contains the variable name. > > Note that as already noted at > https://www.zsh.org/mla/workers/2019/msg01113.html > whether you use that or > > : ${(P)1::="$5"} > > You'll still have a command injection vulnerability if $1 is not > guaranteed to be a variable name. > > -- > Stephane > --0000000000006f5b1505c1364037 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Awesome, thanks for the expert response!

I vote for

eval "$1=3D\$5"

Jacob

On Fri, 30 Apr 2021 at 02:51, Stephane Cha= zelas <stephane@chazelas.org> wrote:
202= 1-04-29 19:53:52 -0400, Jacob Menke:
[...]
> regexp-replace str 'a' 'z' && echo $str
>
> Actual Output:
> (eval):1: bzd not found
>
> Expected:
> x :=3Dbzd
[...]

One might argue there's a problem with the (q) parameter
expansion flag, it escapes leading =3Ds but not the =3Ds that follow
: even though they're special there in assignments.

$ echo a=3Dx:=3Dy
a=3Dx:=3Dy
$ a=3Dx:=3Dy
zsh: y not found

BTW, zsh is the only shell where ~ is expanded in:

$ zsh -c 'a=3Da\:~; echo $a'
a:/home/chazelas

[...]
> One way to fix:
> 41: eval ${1}=3D${(qqq)5}

The safest quoting operator is the (qq) one. I wouldn't use any
other for things to be reinput to the shell.

See
https://unix.stackexchange.com/questions/379181/escape-a-va= riable-for-use-as-content-of-another-script/600214#600214
for details on that.

In particular qqq uses double quotes inside which \ and ` are
still special and those characters also appear in the encoding
of some other characters in some locales.

But here, the best thing to do is to not expose the parser to
the contents of $5 by doing:

eval "$1=3D\$5"

(which tells the shell to evaluate varname=3D$5)

You need to expand $1 here which contains the variable name.

Note that as already noted at
https://www.zsh.org/mla/workers/2019/msg01113.html=
whether you use that or

: ${(P)1::=3D"$5"}

You'll still have a command injection vulnerability if $1 is not
guaranteed to be a variable name.

--
Stephane
--0000000000006f5b1505c1364037--