Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: [PATCH] Allow globbing with unreadable parent directories

X-seq: zsh-workers 47828
From: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
To: Devin Hussey <husseydevin@xxxxxxxxx>
Cc: "zsh-workers@xxxxxxx" <zsh-workers@xxxxxxx>
Subject: Re: [PATCH] Allow globbing with unreadable parent directories
Date: Wed, 13 Jan 2021 20:04:06 -0800
Archived-at: <https://zsh.org/workers/47828>
Archived-at: <http://www.zsh.org/sympa/arcsearch_id/zsh-workers/2021-01/CAH%2Bw%3D7aoaGhVCqZQ6K%2Bz0HqJg3agOav6bh6M_9pg464aAC%2BhtQ%40mail.gmail.com>
In-reply-to: <CAEtFKssJVz9mr3vA_vY77m2bsrXWBKHz1qgv83jzeY0jLXzPjQ@mail.gmail.com>
List-id: <zsh-workers.zsh.org>
References: <CAEtFKssJf-cN_EM+=5_10seY58jqALV-YH8+z5+Lm-04v493Nw@mail.gmail.com> <CAH+w=7bn8JYPx29LPGnT4ughEt-z+-rUokUz739foP=JCY9B7g@mail.gmail.com> <CAEtFKssJVz9mr3vA_vY77m2bsrXWBKHz1qgv83jzeY0jLXzPjQ@mail.gmail.com>

On Wed, Jan 13, 2021 at 4:28 PM Devin Hussey <husseydevin@xxxxxxxxx> wrote:
>
> On Wed, Jan 13, 2021, 5:28 PM Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx> wrote:
>>
>> On Tue, Jan 12, 2021 at 7:04 PM Devin Hussey <husseydevin@xxxxxxxxx> wrote:
>> >
>> > POSIX specifies that when globbing, parent directories only have to be
>> > searchable, not readable.
>>
>> Lack of search permission only means that you can't tell what kind of
>> file "somefile" is (you can't read its inode data, e.g., stat() it),
>> not that you can't see the name itself.
>
> This matches the behavior of the "pure" globber, POSIX, and literally every other shell.

I tried the same test cases with "bash" and it behaved like
(unpatched) zsh.  Again, can you show me a counter-example?

> Case insensitivity should not change the output due to file permissions.

If that were a property of the filesystem, as for example on MacOS,
then I agree with you.

It's less clear when the filesystem is case-sensitive.  Why should
(#i)file not be the same as [Ff][Ii][Ll][Ee] ?

> opendir(fn) will also fail if the "folder" is a file.

Sure, but so might access(R_OK) ... and access(X_OK) might succeed on a file.

>> As far as I can tell, the patch
>> would only cause globbing to fail in more cases, not succeed where it
>> previously did not.
>
> No, that is definitely not the case.
>
> opendir() would fail if either R_OK or X_OK was false, causing unreadable folders to be a false negative.

I don't think that's true.  opendir() is fine with only R_OK.  Again,
try "ls" on a directory having mode 444.

What you cannot do is "ls -l parent/child" when parent is not searchable.

The actual problem is that PAT_PURES is never true when NO_CASE_GLOB
is set.  That means scanner() always passes through the branch that
attempts zreaddir()+pattry(), which fails when there is an unreadable
directory.  I'm not immediately sure how to fix that without
introducing a bug/vulnerability where a filename could be constructed
such that it literally matches the internal representation of a glob
pattern.

Follow-Ups:
- NO_CASE_GLOB and unreadable directories (Episode VI: A New Hope)
  - From: Bart Schaefer

References:
- [PATCH] Allow globbing with unreadable parent directories
  - From: Devin Hussey
- Re: [PATCH] Allow globbing with unreadable parent directories
  - From: Bart Schaefer
- Re: [PATCH] Allow globbing with unreadable parent directories
  - From: Devin Hussey

Messages sorted by: Reverse Date, Date, Thread, Author