Re: [BUG] Unicode variables can be exported and are exported metafied

["Christoph (Stucki) von Stuckrad" <stucki@xxxxxxxxxxxxxxx>]

On Thu, 18 Dec 2014, Bart Schaefer wrote:

> Are we sure it's even "legal" to export Unicode variable names?  Internally
> we can kinda ignore POSIX as we choose, but the environment crosses those
> boundaries.

Independend of being 'legal' to me it seems dangerous!

Comparing the 'working as written' example:

~$ M='surprise; : ' MÄRCHEN=story sh -c 'echo $MÄRCHEN'
story

to running it with all the other shells I keep around
(bash, dash, ash, sash - untested ksh and csh)
you always get:

..................................vvvv
~$ M='surprise; : ' MÄRCHEN=story bash -c 'echo $MÄRCHEN'
surprise; : ÄRCHEN

Which gives interesting new ways to introduce security-sensitive
changes into environments by letting a Program check the
UTF8-named-Variable for its contents, but really inserting data
by the broken-part-name, which might be passed unchecked!

So PLEASE DO NOT EXPORT these !

Stucki


-- 
Christoph von Stuckrad      * * |nickname |Mail <stucki@xxxxxxxxxxxxxxx> \
Freie Universitaet Berlin   |/_*|'stucki' |Tel(Mo.,Mi.):+49 30 838-75 459|
Mathematik & Informatik EDV |\ *|if online|  (Di,Do,Fr):+49 30 77 39 6600|
Takustr. 9 / 14195 Berlin   * * |on IRCnet|Fax(home):   +49 30 77 39 6601/