Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Tab-completion problem through ssh when files start by dash (_remote_files:compadd:80: bad option: -@)



Hi Daniel,

Thanks for your reply.

On Sat, Apr 15, 2017 at 01:19:02AM +0000, Daniel Shahaf wrote:
> Antoine Amarilli wrote on Thu, Apr 13, 2017 at 19:47:17 +0200:
> > So it looks to me like the internals of tab-completion are not properly
> > escaping the file names in this case, hence the warning. This is mostly
> > an annoyance, but maybe there could be some more problematic
> > implications (e.g., maybe a malicious jdoe on bar could create files
> > that would pass actual options to compadd and mess up more seriously
> > with the zsh session on foo).
> 
> The «-R remote-func» option seems to be the most obvious method of
> injection.  I'm not sure whether it requires a literal function name, or
> whether an anonymous function would be accepted too.

I played a bit with it but wasn't able to get it to execute. That said,
I'm not at all familiar with the semantics of compadd, so someone more
familiar who can reproduce the problem may be able to achieve
something...

> I think this fixes it?
> 
> diff --git a/Completion/Unix/Type/_remote_files b/Completion/Unix/Type/_remote_files
> index 1e9fed1..a5fce9a 100644

I patched my copy of
/usr/share/zsh/functions/Completion/Unix/_remote_files following this
diff, and indeed this silences the warning and tab-completion seems to
work. Thanks!

I guess it would be good to commit this fix in the codebase then?

Thanks a lot again!

Best,

-- 
Antoine Amarilli

Attachment: signature.asc
Description: PGP signature



Messages sorted by: Reverse Date, Date, Thread, Author