From: Peter Stephenson <p.w.stephenson@ntlworld.com>
To: zsh-workers@zsh.org
Subject: Re: [BUG] Two vulnerabilities in zsh
Date: Fri, 22 May 2020 19:56:24 +0100 [thread overview]
Message-ID: <caf94264beca79b390e226a971864b4947b0e501.camel@ntlworld.com> (raw)
In-Reply-To: <20200520004509.741352d3@tarpaulin.shahaf.local2>
On Wed, 2020-05-20 at 00:45 +0000, Daniel Shahaf wrote:
> Peter Stephenson wrote on Tue, 19 May 2020 21:38 +0100:
> > The BUG message simplifies to this:
> >
> > (127)9:32% zsh -fc '$\
> > ('
> > 1: BUG: parse error in command substitution
> > zsh:1: no such file or directory: pws/.
> >
> > The other output shows it's doing something it shouldn't even if there
> > isn't a crash as a result. Adding a command in front does produce a
> > crash.
> >
> > I think the backslashed newline is valid, and it looks like it's usually
> > correctly handled; apparently its presence is disguising the bad input
> > in this case.
>
> Test cases:
This seems to be doing the right thing. It's a bit hairy, but I think
it just *is* a bit hairy --- we do need to re-input the multi-character
special sequence if there's something to ignore in the middle. I can't
see an obvious problem with how I've done it as it can't be triggered by
anythign else that I can see.
There may be other sequences like this.
I believe inlined patches work from this version of Evolution...
pws
diff --git a/Src/lex.c b/Src/lex.c
index a541defe6..5382a5309 100644
--- a/Src/lex.c
+++ b/Src/lex.c
@@ -1237,6 +1237,19 @@ gettokstr(int c, int sub)
case LX2_BKSLASH:
c = hgetc();
if (c == '\n') {
+ if (lexbuf.len && !lexstop &&
+ (lexbuf.ptr[-1] == String ||
+ lexbuf.ptr[-1] == Qstring))
+ {
+ /*
+ * $-prefixed expression interrupted by \\\n.
+ * This is valid --- reparse.
+ */
+ --lexbuf.len;
+ --lexbuf.ptr;
+ c = '$';
+ continue;
+ }
c = hgetc();
if (!lexstop)
continue;
diff --git a/Test/D04parameter.ztst b/Test/D04parameter.ztst
index 6d2dd0d99..a3661f5da 100644
--- a/Test/D04parameter.ztst
+++ b/Test/D04parameter.ztst
@@ -2662,7 +2662,6 @@ F:behavior, see http://austingroupbugs.net/view.php?id=888
-f:regression test for workers/45843#1
?(eval):1: bad substitution
-# Temporarily using the 'D' flag because it generates a "BUG:" message in
-# debug builds only.
$ZTST_testdir/../Src/zsh -fc $'$\\\n('
-1Df:regression test for workers/45843#2: escaped newline in command substitution start token
+1f:regression test for workers/45843#2: escaped newline in command substitution start token
+?(eval):1: parse error near `$('
next prev parent reply other threads:[~2020-05-22 18:57 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-19 6:48 Aaron Esau
2020-05-19 17:04 ` Daniel Shahaf
2020-05-19 20:38 ` Peter Stephenson
2020-05-20 0:45 ` Daniel Shahaf
2020-05-22 18:56 ` Peter Stephenson [this message]
2020-05-22 21:47 ` Peter Stephenson
2020-05-23 2:17 ` Daniel Shahaf
2020-05-23 16:45 ` Peter Stephenson
2020-05-20 0:40 ` [BUG] Two vulnerabilities in zsh - #1 :: null dereference in check_colon_subscript in subst.c Daniel Shahaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=caf94264beca79b390e226a971864b4947b0e501.camel@ntlworld.com \
--to=p.w.stephenson@ntlworld.com \
--cc=zsh-workers@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).