Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: arithmetic expression from outside

2019-09-05 11:22:53 -0700, Bart Schaefer:
> % N='sum[$(echo Hello, world!>&2)]' bash -c 'echo $((N))'
> Hello, world!
> 0
> Zsh at least does not do that with parameters from the environment,
> although I'm not exactly sure what prevents it.

It does, but the variable has to be an array:

$ N='psvar[$(echo Hello, world!>&2)]' zsh -c 'echo $((N))'
Hello, world!
zsh:1: bad math expression: empty string

See also

That's regularly reported as a security vulnerability or at
least a misfeature that causes security vulnerabilities (to bash
and zsh at least; first time I heard about it was from Oliver
Kiddle here shortly after shellshock) and I agree it is.

It would be nice if something could be done about it, but I'm
not sure there's an easy solution other than redesigning a new
arithmetic expression parsing from scratch.

POSIX gets in the way because it requires $(($1)) to be done in
two steps: first expansion of $1 and then evaluation of the
expression resulting from that expansion (so with a value like
PATH=7734, you get a nasty side effect even with dash or other
shells that don't have extensions over the standard).

I'm not sure we can do anything safe without coming up with a
completely new, incompatible and pretty limited syntax.


Messages sorted by: Reverse Date, Date, Thread, Author