On Wed, Nov 29, 2023 at 4:15 PM German Riano <
griano@xxxxxxxxx> wrote:
>
> Even just using 'print -qn' works.
Er, what?
% print -qn foo
print: bad option: -q
Do you mean "printf %q ..." ?
> Questions:
> 1. Is "${(qq):-$ln} equivalent to "${(qq)ln} ?
Yes. I left it with the ":-" because in the other case there's a
trailing space inside the right brace (ultimately, inside the right
single-quote) and I thought one might be needed here as well.
> 2. Does the read command needs '-r' ?
I don't think so, the backslashes will already have been removed by
"eval" ... but perhaps if there's actually a literal backslash in the
target name, yes.
> 3. Does using eval creates the risk of arbitrary execution of code?
It does as written before any of these patches, because a target name
could embed matched pairs of single quotes and $(...) in such a way
that the eval would run the substitution.
I think fixing the inner-single-quoting via (qq) removes that
possibility, but it would still be better not to need the eval.