From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 27358 invoked by alias); 19 Dec 2014 20:24:23 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 34014 Received: (qmail 3180 invoked from network); 19 Dec 2014 20:24:08 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.2 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1419019999; bh=9pznJ4LWfoeL8+6nxFlyB6Tsoxx/IMvcwqQh2n/zki4=; h=User-Agent:In-Reply-To:References:MIME-Version: Content-Transfer-Encoding:Content-Type:Subject:From:Date:To: Message-ID; b=X7CEiLTGWAHo5op/Ts6G5l1gHyZJ8xoWgyYoBTceP5zWo/DM+2TCgv4dKDDSmTdzX ImBa4U9nC8GnS8CWww02DJ+1ya54BBFAB4tNjghZfdTNfmEgdUZMtbOQPhoTkPn6ZJ 5slhqUFAjDHw5CcZfdUsyLMoHEwEEJZk112HkdL4= Authentication-Results: smtp2o.mail.yandex.net; dkim=pass header.i=@yandex.ru User-Agent: K-9 Mail for Android In-Reply-To: <20141219181652.GA3996@localhost.mi.fu-berlin.de> References: <1054131418926765@web2o.yandex.ru> <20141218192917.4df5324b@pws-pc.ntlworld.com> <20141218194758.329bd9ef@pws-pc.ntlworld.com> <20141219181652.GA3996@localhost.mi.fu-berlin.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8 Subject: Re: [BUG] Unicode variables can be exported and are exported metafied From: =?UTF-8?B?0J/QsNCy0LvQvtCyINCd0LjQutC+0LvQsNC5?= =?UTF-8?B?INCQ0LvQtdC60YHQsNC90LTRgNC+0LLQuNGH?= Date: Fri, 19 Dec 2014 23:13:10 +0300 To: "Christoph (Stucki) von Stuckrad" ,zsh-workers@zsh.org Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On December 19, 2014 9:17:37 PM EAT, "Christoph (Stucki) von Stuckrad" wrote: >On Thu, 18 Dec 2014, Bart Schaefer wrote: > >> Are we sure it's even "legal" to export Unicode variable names? >Internally >> we can kinda ignore POSIX as we choose, but the environment crosses >those >> boundaries. > >Independend of being 'legal' to me it seems dangerous! > >Comparing the 'working as written' example: > >~$ M='surprise; : ' MÄRCHEN=story sh -c 'echo $MÄRCHEN' >story > >to running it with all the other shells I keep around >(bash, dash, ash, sash - untested ksh and csh) >you always get: > >..................................vvvv >~$ M='surprise; : ' MÄRCHEN=story bash -c 'echo $MÄRCHEN' >surprise; : ÄRCHEN > >Which gives interesting new ways to introduce security-sensitive >changes into environments by letting a Program check the >UTF8-named-Variable for its contents, but really inserting data >by the broken-part-name, which might be passed unchecked! > >So PLEASE DO NOT EXPORT these ! > >Stucki I really do not see any problems here. If one has "surprise" in $M in an environment he runs typed scripts in then he already has much bigger problems. -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iQJNBAEBCgA3BQJUlIbVMBwfMDI7PjIgHTg6PjswOSAQOzU6QTA9NEA+MjhHIDxr cC1wYXZAeWFuZGV4LnJ1PgAKCRBu+P2/AXZZIuF9D/4oc9QkX4ziGW34IpiFzPmA P4w5ZmbGFq8yV8IhYLX+SDukWSKP5j7K7CZgc6UU9Xftpr7RFbSXuRqyjTCWhzRM mt6od3PeOI6+nEF+hizz+3WwqiHmrB/pagP7qed3gjX6t6y9qV7g+QCXdL7EPOQ/ uUKDoAjF0LPOc0JUtKXVJNZzE6YsCmVL/hwdeGG7pNQ7tOUeKEeS02XwNphAdUw4 5tuwE/UBRxtcPyCE3pVsV9vXa+1cyREuyY50uH/lMRGR8FuyjNmPslvRfDmzWkxw x5OgxiyukBdxY4YLjiXuVLAVh/JqVmnZvMy2o6uqxESmv3tX8yOIjelFbwo6hZhz L7RAdsXdw23OFBqxTrHxnSbImQuCn2yS2CrmQmBe3adilj84XIpqlpQCKy/LdXm7 LQyCGrI8gUwKLmpeqvaHrp3SbFfUZIbtMOaccQwPGBfH67JA0CUr+HZv3fJ/Iijm F0LSsJTiQIgfeXXwk0nxHXUj/0yr5MEJUnVwFNY7C/tgOKRpDpwA5u2jgAvcYpUn YHJddwyHryeghp2JpiECprUEd1nGRj4ijbGb4uolbs7CxVpR6z+IadEzsSg5bd2y r499ADpGsuXM0U09unQUTMqsCaxW9y7VOeTqORSv/1jOG7O8vZIRIgLuyi+JYXsU vMCYECRmzPKvIdYOsbQ7Gg== =d7xB -----END PGP SIGNATURE-----