Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
- X-seq: zsh-workers 54165
- From: Mikael Magnusson <mikachu@xxxxxxxxx>
- To: Oliver Kiddle <opk@xxxxxxx>
- Cc: cyber security <cs7778503@xxxxxxxxx>, zsh-workers@xxxxxxx
- Subject: Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins
- Date: Fri, 30 Jan 2026 21:17:41 +0100
- Arc-authentication-results: i=1; mx.google.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=gw+xkwWjtJbsBuXW27UhwBJRz10y0aMZHxrs+P5tDmE=; fh=MCVTZs2VMAs0WkjAq7eYjKqBSe4D6gurpgtOVINOdMo=; b=a7AhzYglwbkAZ9Oa779Q3/pQXBBYIVUpRQ0mApJlwA5pYYwfJGLRG1KzBhshfcUJkZ EGC572t/jFoeYUCvkvPvlYSkEruOCdtwu14FdxGOhl4xnsEnCVaeRnrOY6xAUf6TZIIt Nvush6b+2YPpuQ5kKIWGO7zqTY3JaRYUIf3FYcoyH10YefjcKouDPybhWMaHzVF6rlGH 4eAoyHkdx96FF4J0tAbbucpsCXAbBuMXV0lLvBRTcF3iM+IVINYJFwdK4b+vTIZ9DOgC GkleqYLfJcbZhaogbabgdswED4koB+8qt7rZI/47ECqXuCIPLKU0luuDeQC59wMFaX90 +ImQ==; darn=zsh.org
- Arc-seal: i=1; a=rsa-sha256; t=1769804274; cv=none; d=google.com; s=arc-20240605; b=VmUSoPsTakV83L4ss2dTpQtyiTOl08mCjex9vvbIeKZO5RsaqU1d5BzlsTTHuWRq4B mIDxVh4lEHPp57WI9vMK1BhNpT4zz1ZVYgngdXEBuO+MtM6JMA4hWZ8RTcvVcYLSO8X3 NBroSjImo51YHoleQpDxAVh6Hi7Sjez6H6iBD8jGcswhFNPuvoUsfHmL40nNnmOSXIE5 UzRULZi4TbkrBp43fzRov8rGbk64WyJI0HgnFHftqDG0wkWzGV2W8g3VZJYM1fQKSk2E 4dwR0iQHsWJoOhVD8/B0V/R/BRLFCcSm6XlNukf3fmfNpuZs9KH6s/0Z9Dm8qM5nHqUE ru1w==
- Archived-at: <https://zsh.org/workers/54165>
- In-reply-to: <72787-1769800688.979791@U6Lk.sn9M.AyYc>
- List-id: <zsh-workers.zsh.org>
- References: <CAPmip_z18_wQBZ09GG7TEKZ0GsTqQ34iZRvhsMAExOLSCcdQsg@mail.gmail.com> <72787-1769800688.979791@U6Lk.sn9M.AyYc>
Comment in patch below.
On Fri, Jan 30, 2026 at 8:23 PM Oliver Kiddle <opk@xxxxxxx> wrote:
>
> cyber security wrote:
> > I am reporting a security issue in Zsh restricted mode (`zsh -r`).
>
> The patch below does block this along
> with fc -W or -A when a filename is specified.
>
> diff --git a/Src/Modules/system.c b/Src/Modules/system.c
> index f1c0d7042..644fa7f1a 100644
> --- a/Src/Modules/system.c
> +++ b/Src/Modules/system.c
> @@ -336,6 +336,10 @@ bin_sysopen(char *nam, char **args, Options ops, UNUSED(int func))
> zwarnnam(nam, "file descriptor not specified");
> return 1;
> }
> + if (write || append) {
> + zwarnnam(nam, "writing not allowed in restricted mode");
> + return 1;
> + }
Is this bit supposed to also have an isset(RESTRICTED)?
> /* file descriptor, either 0-9 or a variable name */
> fdvar = OPT_ARG(ops, 'u');
> diff --git a/Src/builtin.c b/Src/builtin.c
> index 49fab93da..b2a2af10d 100644
> --- a/Src/builtin.c
> +++ b/Src/builtin.c
> @@ -1506,12 +1506,20 @@ bin_fc(char *nam, char **argv, Options ops, int func)
> return 0;
> }
> if (OPT_ISSET(ops,'W')) {
> + if (*argv && isset(RESTRICTED)) {
> + zwarnnam(nam, "writing not allowed in restricted mode");
> + return 1;
> + }
> /* write history to a file */
> savehistfile(*argv, 1, OPT_ISSET(ops,'I') ? HFILE_SKIPOLD : 0);
> unqueue_signals();
> return 0;
> }
> if (OPT_ISSET(ops,'A')) {
> + if (*argv && isset(RESTRICTED)) {
> + zwarnnam(nam, "writing not allowed in restricted mode");
> + return 1;
> + }
> /* append history to a file */
> savehistfile(*argv, 1, HFILE_APPEND |
> (OPT_ISSET(ops,'I') ? HFILE_SKIPOLD : 0));
>
--
Mikael Magnusson
Messages sorted by:
Reverse Date,
Date,
Thread,
Author