Re: questions re: NO_PROMPT_PERCENT

[Oliver Kiddle <opk@xxxxxxx>]

Roman Neuhauser wrote:
> so i tried turning PROMPT_PERCENT off, and ended up with broken
>
> * completion

For what it's worth, I neither see much breakage when turning
prompt_percent off nor do I find any uses of print -P when grepping in
the Completion directory of the zsh sources. If there are any, ${(%)...}
should be used instead. Is your breakage perhaps just a messed up
terminal due to literal escape sequences in your prompt? All the
complist and zformat stuff looks fine to me.

> * is there a meaningful difference between
>   set +o promptsubst; PROMPT="... $var ..."
>   and
>   set -o promptsubst; PROMPT='... $var ...'?

It changes when $var is expanded. I'd only use the latter with $var
being set from hook functions.

> * is my understanding of PROMPT being susceptible to malicious
>   data substituted directly as above correct?  what are effective
>   mitigations? does ${(V)} really have me covered under PROMPTSUBST?
>   what are the limits imposed by %{...%}?  the manual says it "should
>   not change the cursor position", a quick test suggests it would be
>   better worded as "will not be allowed ..."?  this deserves more
>   detail in the text.

You can specify a number with it where the content does advance the
cursor.

promptsubst also allows command and math substitutions. For security
to be a concern, you still have to personally configure it to fill the
variables with untrusted data. Things like key rebinding escape
sequences are long gone so I'm not sure you really need to worry but (V)
is likely harmless anyway.

> * does the topic deserve better coverage in the manual?
>   i'm convinced it does.

It's hard to comment without more specifics of what you'd want included.

> * would everyone (is there one?) using nopromptpercent raise their hand?
>   please describe your interactive use of zsh 5.x with nopromptpercent!

I was thinking the main use would be for sh emulation but apparently
that doesn't bother to unset it.

> * i keep praising zsh for its conservatism, but screw 1999, what is the
>   *goal* of the setting *today*?  ie. is the impact NOPROMPTPERCENT has
>   on CORRECT expected?  is it *desired*?  why?  what are the $REASONS
>   in "displaying the CORRECT prompt without substituting %R or %r is a
>   major goal of this option because $REASONS"?  i mean, if CORRECT is
>   a security concern (how?) then there's NOCORRECT, no?

Yes, that doesn't seem expecially useful but not entirely suprising when
thinking about implementation. Should we treat this as a bug?

> * why does it affect `print -P`?
> * why does it *not* affect the % parameter expansion flag?

print -P is older. I'd speculate that whoever implemented it considered it
useful to be able to print, e.g. $PS1 and have it appear as a prompt
would.

Oliver