Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: The zsh equivalent to Bash's "complete -W" to complete a command using only a list of words

X-seq: zsh-users 21438
From: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
To: Shlomi Fish <shlomif@xxxxxxxxx>
Subject: Re: The zsh equivalent to Bash's "complete -W" to complete a command using only a list of words
Date: Sat, 09 Apr 2016 17:45:18 +0000
Cc: Peter Stephenson <p.stephenson@xxxxxxxxxxx>, zsh-users@xxxxxxx
In-reply-to: <CANy4znWAhsamgKrpOqmWCNqOWuzwzvXRLSWL6=X8bo6CeH-eZg__45121.4810986587$1460209332$gmane$org@mail.gmail.com>
List-help: <mailto:zsh-users-help@zsh.org>
List-id: Zsh Users List <zsh-users.zsh.org>
List-post: <mailto:zsh-users@zsh.org>
Mailing-list: contact zsh-users-help@xxxxxxx; run by ezmlm
References: <CANy4znWN6KDopSvzrKQemKRyE9zeTx-yz-ChmOU0q6+XpuNXUw@mail.gmail.com> <20160409124553.783683a3@pwslap01u.europe.root.pri> <CANy4znWAhsamgKrpOqmWCNqOWuzwzvXRLSWL6=X8bo6CeH-eZg__45121.4810986587$1460209332$gmane$org@mail.gmail.com>

Shlomi Fish wrote on Sat, Apr 09, 2016 at 16:40:52 +0300:
>     compdef "_values $description $val1 $val2 $val3 $val4..." Theme
> 
> Where $description is a short description and $val1 $val2 are the values.

That's vulnerable to shell injection.

You need either to change "" to '' or to change «$foo» to «${(q)foo}»,
depending on whether you intend the variables to be interpolated at the
time you run compdef or at the time you invoke the completion.

Cheers,

Daniel
(I realize you might have intended those variables as metasyntax...)

References:
- The zsh equivalent to Bash's "complete -W" to complete a command using only a list of words
  - From: Shlomi Fish
- Re: The zsh equivalent to Bash's "complete -W" to complete a command using only a list of words
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author