From mboxrd@z Thu Jan  1 00:00:00 1970
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4
Received: (qmail 17559 invoked from network); 23 May 2020 16:46:04 -0000
Received: from ns1.primenet.com.au (HELO primenet.com.au) (203.24.36.2)
  by inbox.vuxu.org with ESMTPUTF8; 23 May 2020 16:46:04 -0000
Received: (qmail 16471 invoked by alias); 23 May 2020 16:45:53 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
List-Unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
X-Seq: 45900
Received: (qmail 2278 invoked by uid 1010); 23 May 2020 16:45:53 -0000
X-Qmail-Scanner-Diagnostics: from know-smtprelay-omc-10.server.virginmedia.net by f.primenet.com.au (envelope-from <p.w.stephenson@ntlworld.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.102.3/25814. spamassassin: 3.4.4.  
 Clear:RC:0(80.0.253.74):SA:0(-2.0/5.0):. 
 Processed in 3.728758 secs); 23 May 2020 16:45:53 -0000
X-Envelope-From: p.w.stephenson@ntlworld.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _smtprelay.virginmedia.com designates 80.0.253.74 as permitted sender)
X-Originating-IP: [86.16.88.158]
X-Authenticated-User: p.w.stephenson@ntlworld.com
X-Spam: 0
X-Authority: v=2.3 cv=YvshubQX c=1 sm=1 tr=0 a=MiHCjVqLJ44lE3bxSlffFQ==:117
 a=MiHCjVqLJ44lE3bxSlffFQ==:17 a=IkcTkHD0fZMA:10 a=npldXguGAAAA:8
 a=G6mTvS_JN9to982hSXAA:9 a=QEXdDO2ut3YA:10 a=1Z6EAcxPEhoA:10
 a=Y6yEfkeh0FwA:10 a=1MEZn5qd6kv58cYvHi58:22
Message-ID: <e6d03c3a68196fdb05a2cf5072dc7666cd4a9e17.camel@ntlworld.com>
Subject: Re: [BUG] Two vulnerabilities in zsh
From: Peter Stephenson <p.w.stephenson@ntlworld.com>
To: zsh-workers@zsh.org
Date: Sat, 23 May 2020 17:45:14 +0100
In-Reply-To: <20200523021732.73f77b73@tarpaulin.shahaf.local2>
References: 
	<wUyJbXo1lRhl4AYZR5ZuGgFNdYiAV1WPC7o0DRLgCliFUJuAePd3VZ2mcVzBKNW1nvmFCZMU6nd2jJ2gN2e02ioHUgzfAOjPzVUHXufMEIo=@protonmail.com>
	 <20200519170418.5bc00b2f@tarpaulin.shahaf.local2>
	 <c921824332bf2ca7bc6cff15bc7ffa0042b22677.camel@ntlworld.com>
	 <20200520004509.741352d3@tarpaulin.shahaf.local2>
	 <caf94264beca79b390e226a971864b4947b0e501.camel@ntlworld.com>
	 <70e0d7c11f064b4f52354e20fba6541cb25d89d9.camel@ntlworld.com>
	 <20200523021732.73f77b73@tarpaulin.shahaf.local2>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.5-0ubuntu0.18.04.2 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfBghqiFcCQnCvN4gw9dTgnmVyP/P6iXQmt9PdE3QDBX0JcvK5CDGcErd6wtfr8ABbpO/qkEpgYmzR14HQawlDeHr0/284Hbnw4bYPyyKO+sF2Kb1MrQZ
 4azYQ4Zy7RLSqqhoBzyztaHKpOWn2Ljzc+2CsFcNVbePiI47tiY8KQZo

Change of plan: I've done the fix for the original problem the same way
I did the fix for the follow up.  That's because I can no longer convince
myself that a String token last in the buffer is necessarily the very
start of a $-expansion --- it may be true, I'm just not sure --- and we
might as well be consistent in the two case.

The reason I did it that way to begin with was that way back when we
could only back up one input character.  But that hasn't been true since
I rewrote the input layer (between specific I/O types and history) some
time ago now.

The test cases are fixed --- there aren't any trailing spaces, even if
they show up in the patch.

pws


diff --git a/Src/lex.c b/Src/lex.c
index a541defe6..37fcec3e2 100644
--- a/Src/lex.c
+++ b/Src/lex.c
@@ -541,6 +541,17 @@ cmd_or_math_sub(void)
 {
     int c = hgetc(), ret;
 
+    if (c == '\\') {
+	c = hgetc();
+	if (c != '\n') {
+	    hungetc(c);
+	    hungetc('\\');
+	    lexstop = 0;
+	    return skipcomm() ? CMD_OR_MATH_ERR : CMD_OR_MATH_CMD;
+	}
+	c = hgetc();
+    }
+
     if (c == '(') {
 	int lexpos = (int)(lexbuf.ptr - tokstr);
 	add(Inpar);
@@ -998,6 +1009,16 @@ gettokstr(int c, int sub)
 	    break;
 	case LX2_STRING:
 	    e = hgetc();
+	    if (e == '\\') {
+		e = hgetc();
+		if (e != '\n') {
+		    hungetc(e);
+		    hungetc('\\');
+		    lexstop = 0;
+		    break;
+		}
+		e = hgetc();
+	    }
 	    if (e == '[') {
 		cmdpush(CS_MATHSUBST);
 		add(String);
diff --git a/Test/D04parameter.ztst b/Test/D04parameter.ztst
index 6d2dd0d99..e51c955ee 100644
--- a/Test/D04parameter.ztst
+++ b/Test/D04parameter.ztst
@@ -2662,7 +2662,25 @@ F:behavior, see http://austingroupbugs.net/view.php?id=888
 -f:regression test for workers/45843#1
 ?(eval):1: bad substitution
 
-# Temporarily using the 'D' flag because it generates a "BUG:" message in
-# debug builds only.
  $ZTST_testdir/../Src/zsh -fc $'$\\\n('
-1Df:regression test for workers/45843#2: escaped newline in command substitution start token
+1:regression test for workers/45843#2: escaped newline in command substitution start token
+?zsh:2: parse error near `$('
+
+# `
+
+ eval $'echo $\\\n(printf "%d\\n" $(( 4 + 2 )) )'
+0:Normal command substitution with escaped newline
+>6
+
+ eval $'echo $\\\n(( 14 / 2 ))'
+0:Normal math eval with escaped newline after $
+>7
+
+ eval $'echo $(\\\n( 15 / 3 ))'
+0:Normal math eval with escaped newline after $(
+>5
+
+  function '*' { echo What a star; }
+  eval 'echo $(\*)'
+0:Backslash character other than newline is normal after $(
+>What a star