Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins

[Aaron Schrab <aaron@xxxxxxxxxx>]

At 01:21 +0100 11 Feb 2026, Oliver Kiddle <opk@xxxxxxx> wrote:
> On 1 Feb, I wrote:
> > On further deliberation, I think we should just drop the whole
> > restricted mode feature. The documentation has carried a warning that
> > "the feature may be removed in future" for the past six years.
>
> Nobody argued for a reprieve so a patch to get rid of it follows.
>
> This does leave the option in existence but it does nothing. That's
> just for backwards compatibility with old set -o or setopt commands.
 
 Having the option do nothing sounds like a bad idea to me. If someone 
 is maintaining a system that tries to use restricted mode for security 
 updates their version without reading about this, they'll lose the 
 security that the option had provided.

 I think a better approach would be to have the shell exit with an error 
 if someone tries to use restricted mode.