Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: arithmetic expression from outside
2019-09-05 11:22:53 -0700, Bart Schaefer:
[...]
> % N='sum[$(echo Hello, world!>&2)]' bash -c 'echo $((N))'
> Hello, world!
> 0
>
> Zsh at least does not do that with parameters from the environment,
> although I'm not exactly sure what prevents it.
It does, but the variable has to be an array:
$ N='psvar[$(echo Hello, world!>&2)]' zsh -c 'echo $((N))'
Hello, world!
zsh:1: bad math expression: empty string
See also
https://unix.stackexchange.com/questions/172103/security-implications-of-using-unsanitized-data-in-shell-arithmetic-evaluation
That's regularly reported as a security vulnerability or at
least a misfeature that causes security vulnerabilities (to bash
and zsh at least; first time I heard about it was from Oliver
Kiddle here shortly after shellshock) and I agree it is.
It would be nice if something could be done about it, but I'm
not sure there's an easy solution other than redesigning a new
arithmetic expression parsing from scratch.
POSIX gets in the way because it requires $(($1)) to be done in
two steps: first expansion of $1 and then evaluation of the
expression resulting from that expansion (so with a value like
PATH=7734, you get a nasty side effect even with dash or other
shells that don't have extensions over the standard).
I'm not sure we can do anything safe without coming up with a
completely new, incompatible and pretty limited syntax.
--
Stephane
Messages sorted by:
Reverse Date,
Date,
Thread,
Author