Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: indirect assignment to array

X-seq: zsh-users 24781
From: Stephane Chazelas <stephane@xxxxxxxxxxxx>
To: Pier Paolo Grassi <pierpaolog@xxxxxxxxx>
Subject: Re: indirect assignment to array
Date: Thu, 16 Apr 2020 17:30:22 +0100
Cc: Mikael Magnusson <mikachu@xxxxxxxxx>, Zsh-Users List <zsh-users@xxxxxxx>
In-reply-to: <CAP+y1xAG3ayQNE3JqeF_YOT5FZ9pLiUAF5TmPVoOv+nPyjK30A__22203.4378488146$1586994256$gmane$org@mail.gmail.com>
List-help: <mailto:zsh-users-help@zsh.org>
List-id: Zsh Users List <zsh-users.zsh.org>
List-post: <mailto:zsh-users@zsh.org>
List-unsubscribe: <mailto:zsh-users-unsubscribe@zsh.org>
Mail-followup-to: Pier Paolo Grassi <pierpaolog@xxxxxxxxx>, Mikael Magnusson <mikachu@xxxxxxxxx>, Zsh-Users List <zsh-users@xxxxxxx>
Mailing-list: contact zsh-users-help@xxxxxxx; run by ezmlm
References: <CAP+y1xCb3NJn8BRsuwpO6XVgzAtGsBvP870M5na3mAH+CwJ_OA@mail.gmail.com> <CAHYJk3TmiNicTrwem6iRxKMxdNT5-ZB8W8vT5Gc=t7DrbPfBdQ@mail.gmail.com> <CAP+y1xAG3ayQNE3JqeF_YOT5FZ9pLiUAF5TmPVoOv+nPyjK30A__22203.4378488146$1586994256$gmane$org@mail.gmail.com>

2020-04-16 01:42:29 +0200, Pier Paolo Grassi:
> Il giorno gio 16 apr 2020 alle ore 01:13 Mikael Magnusson <mikachu@xxxxxxxxx>
> ha scritto:
[...]
> > : ${(PA)varname::=$array}
> > (leave out the A for scalar assignment, and use AA for assoc arrays).
[...]
> Thanks! I was afraid I had to resort to eval.
[...]

What's wrong with "eval"? Note that many of those alternatives
to "eval" are just other evals in disguise or are as dangerous
(but giving the wrong impression that they're not).

: ${(PA)varname::=$array}

is a command injection vulnerability if the content of $varname
is not sanitized.


$ varname='x[$(uname>&2)]'
$ : ${(PA)varname::=$array}
Linux
zsh: bad math expression: empty string

So is:

eval $varname'=("$array[@]")'

but at least it's more obvious that it is.

In any case, I'd expect the contents of $varname to be known and
trusted in this case, while that of $array could be anything.

Note that that "$array[@]" (instead of $array) is needed to
preserve empty elements.

-- 
Stephane

Follow-Ups:
- Re: indirect assignment to array
  - From: Pier Paolo Grassi

References:
- indirect assignment to array
  - From: Pier Paolo Grassi
- Re: indirect assignment to array
  - From: Mikael Magnusson

Messages sorted by: Reverse Date, Date, Thread, Author