Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins

On 12 Feb, Aaron Schrab wrote:
>   Having the option do nothing sounds like a bad idea to me. If someone 
>   is maintaining a system that tries to use restricted mode for security 
>   updates their version without reading about this, they'll lose the 
>   security that the option had provided.
>
>   I think a better approach would be to have the shell exit with an error 
>   if someone tries to use restricted mode.

An additional patch to fully remove the option follows.

While this is enough for zsh --restricted to print
zsh: no such option: restricted
It does nothing for invoking zsh as rzsh. In your (or anyone else's)
opinion, should that code be retained and also replaced with an error.

There's also [[ -o restricted ]]. We could patch optison() in cond.c to
silently return 1 or leave it also printing a "no such option" error and
aborting.

The _set completion patch hunk was an omission from before.

Oliver

diff --git a/Completion/Zsh/Command/_set b/Completion/Zsh/Command/_set
index 27c7f3c7d..720c667a9 100644
--- a/Completion/Zsh/Command/_set
+++ b/Completion/Zsh/Command/_set
@@ -21,5 +21,5 @@ noglob _arguments -s -S \
   {-,+}d[no-globalrcs] {-,+}e[errexit] {-,+}f[no-rcs] {-,+}g[histignorespace] \
   {-,+}h[histignoredups] {-,+}i[interactive] {-,+}k[interactivecomments] \
   {-,+}l[login] {-,+}m[monitor] {-,+}n[no-exec] {-,+}p[privileged] \
-  {-,+}r[restricted] {-,+}t[singlecommand] {-,+}u[no-unset] {-,+}v[verbose] \
+  {-,+}t[singlecommand] {-,+}u[no-unset] {-,+}v[verbose] \
   {-,+}w[chaselinks] {-,+}x[xtrace] {-,+}y[shwordsplit]
diff --git a/Doc/Zsh/options.yo b/Doc/Zsh/options.yo
index 729a6ac26..77dfb3fdb 100644
--- a/Doc/Zsh/options.yo
+++ b/Doc/Zsh/options.yo
@@ -2466,14 +2466,6 @@ tt(-m) option of tt(setopt) and tt(unsetopt), and changing it inside a
 function always changes it globally regardless of the tt(LOCAL_OPTIONS)
 option.
 )
-pindex(RESTRICTED)
-pindex(NO_RESTRICTED)
-pindex(NORESTRICTED)
-cindex(restricted shell)
-item(tt(RESTRICTED) (tt(-r)))(
-This option is ignored and only exists for compatibility. Support
-for restricted mode has been removed.
-)
 pindex(SHIN_STDIN)
 pindex(NO_SHIN_STDIN)
 pindex(SHINSTDIN)
diff --git a/Src/options.c b/Src/options.c
index 649c654ba..7884299e1 100644
--- a/Src/options.c
+++ b/Src/options.c
@@ -240,7 +240,6 @@ static struct optname optns[] = {
 {{NULL, "rcs",		      OPT_ALL},			 RCS},
 {{NULL, "recexact",	      0},			 RECEXACT},
 {{NULL, "rematchpcre",	      0},			 REMATCHPCRE},
-{{NULL, "restricted",	      0},			 RESTRICTED},
 {{NULL, "rmstarsilent",	      OPT_BOURNE},		 RMSTARSILENT},
 {{NULL, "rmstarwait",	      0},			 RMSTARWAIT},
 {{NULL, "sharehistory",	      OPT_KSH},			 SHAREHISTORY},
@@ -357,7 +356,6 @@ static short zshletters[LAST_OPT - FIRST_OPT + 1] = {
     /* o */  0,			/* long option name follows */
     /* p */  PRIVILEGED,
     /* q */  0,
-    /* r */  RESTRICTED,
     /* s */  SHINSTDIN,
     /* t */  SINGLECOMMAND,
     /* u */ -UNSET,
@@ -434,7 +432,6 @@ static short kshletters[LAST_OPT - FIRST_OPT + 1] = {
     /* o */  0,
     /* p */  PRIVILEGED,
     /* q */  0,
-    /* r */  RESTRICTED,
     /* s */  SHINSTDIN,
     /* t */  SINGLECOMMAND,
     /* u */ -UNSET,
Messages sorted by: Reverse Date, Date, Thread, Author