Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Follow-up to here-document bug reported on zsh-security

X-seq: zsh-workers 53889
From: Bart Schaefer <schaefer@xxxxxxxxxxxxxxxx>
To: Zsh hackers list <zsh-workers@xxxxxxx>
Subject: Follow-up to here-document bug reported on zsh-security
Date: Fri, 22 Aug 2025 20:57:55 -0700
Archived-at: <https://zsh.org/workers/53889>
List-id: <zsh-workers.zsh.org>

This is sort of as expected:

Src/zsh -fxc 'x()<<abc;functions x'
+zsh:1> functions x
x () {
     <<abc
abc
}

This is not:

Src/zsh -fxc 'x()<<abcd;functions x'
+zsh:1> functions x
x () {
     <<

}

Any here-document introducer of more than 3 characters produces this
anomaly, which valgrind confirms is an effect of out-of-bounds read.
(The -fx command options are not required for the bug, just added here
for clarity.)

This example actually shows the read gone wild (results will vary
based on what's in your environment):

Src/zsh -fxc 'x()<<\abc;functions x'
+zsh:1> functions x
x () {
     <<STGRES_LIB=/Library/PostgreSQL/8.3/lib
abc
}

Messages sorted by: Reverse Date, Date, Thread, Author