Re: arithmetic expression from outside

[Stephane Chazelas <stephane.chazelas@xxxxxxxxx>]

2019-09-05 11:22:53 -0700, Bart Schaefer:
[...]
> % N='sum[$(echo Hello, world!>&2)]' bash -c 'echo $((N))'
> Hello, world!
> 0
> 
> Zsh at least does not do that with parameters from the environment,
> although I'm not exactly sure what prevents it.

It does, but the variable has to be an array:

$ N='psvar[$(echo Hello, world!>&2)]' zsh -c 'echo $((N))'
Hello, world!
zsh:1: bad math expression: empty string

See also
https://unix.stackexchange.com/questions/172103/security-implications-of-using-unsanitized-data-in-shell-arithmetic-evaluation

That's regularly reported as a security vulnerability or at
least a misfeature that causes security vulnerabilities (to bash
and zsh at least; first time I heard about it was from Oliver
Kiddle here shortly after shellshock) and I agree it is.

It would be nice if something could be done about it, but I'm
not sure there's an easy solution other than redesigning a new
arithmetic expression parsing from scratch.

POSIX gets in the way because it requires $(($1)) to be done in
two steps: first expansion of $1 and then evaluation of the
expression resulting from that expansion (so with a value like
PATH=7734, you get a nasty side effect even with dash or other
shells that don't have extensions over the standard).

I'm not sure we can do anything safe without coming up with a
completely new, incompatible and pretty limited syntax.

-- 
Stephane