Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh parser infinite loop in chuck from utils.c on malformed input

X-seq: zsh-workers 41093
From: Eduardo Bustamante <dualbus@xxxxxxxxx>
To: Peter Stephenson <p.stephenson@xxxxxxxxxxx>
Subject: Re: Zsh parser infinite loop in chuck from utils.c on malformed input
Date: Wed, 10 May 2017 09:57:05 -0500
Cc: zsh-workers@xxxxxxx
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mEnIhfUclEvQX+/raefdYjzF3VpkodHaCyDKKLPdyZo=; b=ijzWrUlxGw/TmTr3uEZlYqjKOC436g1am0FpNYnFHwhpGia7Yyrq7Z7LfknaBNUUd5 8OEB31o4bjR1IgxDVqnHjQnSN86exFCuhztmg7ru59NNROSoCVIOWldf/zc+I8cVU4CT uEphalLTVX9zM8cYEjttK6zpW3K6lKXx92kc8pYmPzUyjd+DSKnZPa7R2OehX5s87U8G 7t/2gVc9WsXiiWZ4qM+cU8yzj9ebGkS5Rdfp6fw0aZvoCu3fo7Tn/bYG9BxaME+c/e8L w5NO74pdQLADecBv5Nek1s6kEE5CeiwXEej5W1kTQVN6+rHTwXVf8AcFT+nRDBp9/fnw I/Rg==
In-reply-to: <20170510154555.2a07d67b@pwslap01u.europe.root.pri>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
References: <CAOSMAuu3oUB7eMu_R8ZBEi2ie+07rfBjTC+EQekrVsYFWH4itw@mail.gmail.com> <170509234322.ZM7806@torch.brasslantern.com> <CGME20170510142145epcas4p1249de50a9a8d98af301ba6a69cb75a19@epcas4p1.samsung.com> <CAOSMAuvi6kjmwhJ65H3NkX1DefVVvZYs-kULDaX2sYEtSTqBfw@mail.gmail.com> <20170510154555.2a07d67b@pwslap01u.europe.root.pri>

On Wed, May 10, 2017 at 9:45 AM, Peter Stephenson
<p.stephenson@xxxxxxxxxxx> wrote:
[...]
> The problem is NO_EXEC is all things to all people; in the case of a
> shell there isn't really "just" a syntax check, because it's too
> flexible.  The result of a parameter expansion can in some cases have
> a significant effect on what you're doing, in particular if the command
> to execute is part of it.  Being able to parse a parameter substitution
> is itself quite an important check; and there's no fundamental
> difference in the code between looking through the parameter
> substitution and changing the arguments based on what you find.  The
> name NO_EXEC, rather than, say, SYNTAX_CHECK, is significant.
>
> Adding an additional mode that does even less is certainly possible, but
> not necessarily of very wide applicability.

Oh, I agree. Take for example:

  dualbus@debian:~$ for sh in bash ksh93 mksh dash zsh; do echo $sh
$($sh -n <<< 'echo x; ${a$b}' 2>&1); done
  bash
  ksh93 ksh93: syntax error at line 1: `$' unexpected
  mksh
  dash
  zsh zsh: bad substitution

Only ksh93 and zsh are able to detect the problematic parameter
expansion under noexec.

And I don't think there's enough value in implementing an additional
mode. I can just hack the source to disable the bits that I find
problematic for fuzzing.

Thank you for your answers!

References:
- Zsh parser infinite loop in chuck from utils.c on malformed input
  - From: Eduardo Bustamante
- Re: Zsh parser infinite loop in chuck from utils.c on malformed input
  - From: Bart Schaefer
- Re: Zsh parser infinite loop in chuck from utils.c on malformed input
  - From: Eduardo Bustamante
- Re: Zsh parser infinite loop in chuck from utils.c on malformed input
  - From: Peter Stephenson

Messages sorted by: Reverse Date, Date, Thread, Author