Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins

X-seq: zsh-workers 54163
From: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Cc: cyber security <cs7778503@xxxxxxxxx>
Subject: Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
Date: Thu, 29 Jan 2026 13:39:05 -0800
Arc-authentication-results: i=1; mx.google.com; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=kWpTpSlEa/ZBKwQqH25XQ/6yCL+QsV1rDxXPsxfHAfA=; fh=nZTvkkrA7V8ednQ/9dLJC7Th9OEggRvc03s3ewQPw8M=; b=GD6t1bnnOa9HKAVT8iA0nS99zGkvoowKklAwzuZid+T99GA88q6hKAD3v6WrhF7uZG 6UA/coQzmY6+Sp7n74TibbIoxBGIbYhpU/LFgQxSTtveLl2JV6g89DljmKU2xCS3uazT QaarakXDU2TjliovSu2Iv5BB0wIb0ephAFMWaH91UeL8IZKnhPIPRZTXX0MGJOp7FxQH A8+9wkRNkFiBr5qTbYKP0T3f04Jas4RQsImJYeA4tg0W/OHtRCW6iBTf5qDOi6Lwg5c0 jkRIFy4YWIPTM0yAlkv7icad4fZw8CuHUKpCWHoULjQk4RbUmtvDLImOceoDOpUaLE2k 8ECQ==; darn=zsh.org
Arc-seal: i=1; a=rsa-sha256; t=1769722757; cv=none; d=google.com; s=arc-20240605; b=ciGTYepW2FhazYU6KQD58N3CazGA9o2sOEWyEYTnne8W96s4iNDdMJQG2PVI6BA5RU wwyCHTMM7nVW7RISI56l06qn6qRrprgAqlkUp20zaIcWXj1MyJnt1ju+quxCExt3Beqg yXOIyoox/jjUA3iqNP4x+XHBxkZgzRnA9EV9DOF8cCaeaO2KvJriXS/bvwSSCxXbPbIA UoCSP/UAaOe5o+yxyEby+cQ8hYQaJ2D+I196LzdXhZoYQ6Y6B5oFMmzOzEAvbDAKDHzD 8L/FRO6tCTmmnRTyi5Y5FzO7AhyyqbwGRD0SCsiFApntq2zjPxjDhFLvtoFv1TDZ+l6N aIPA==
Archived-at: <https://zsh.org/workers/54163>
In-reply-to: <CAHYJk3TNNw-F7YTDZX24mJg2oCB=0dttrZcj83Hn2U+pymEKgA@mail.gmail.com>
List-id: <zsh-workers.zsh.org>
References: <CAPmip_z18_wQBZ09GG7TEKZ0GsTqQ34iZRvhsMAExOLSCcdQsg@mail.gmail.com> <CAHYJk3TNNw-F7YTDZX24mJg2oCB=0dttrZcj83Hn2U+pymEKgA@mail.gmail.com>

On Thu, Jan 29, 2026 at 3:16 AM Mikael Magnusson <mikachu@xxxxxxxxx> wrote:
>
> Are you sure about your 'Summary'? Those
> commands look like bash commands, not zsh commands. To write and/or
> append history to a file in zsh you would use fc -W and fc -A

On a few quick tests, "fc -W" and "fc -A" will not do anything unless
SAVEHIST is set to a nonzero value.

SAVEHIST can't be changed from within the shell in restricted mode.

So, if no other common usage would be broken, this could be "fixed"
just by blocking inheritance of SAVEHIST from the environment (or
doing so only in restricted mode, which might be slightly but not a
lot more difficult).

References:
- Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
  - From: cyber security
- Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
  - From: Mikael Magnusson

Messages sorted by: Reverse Date, Date, Thread, Author