Path: csiph.com!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail
From: Sam Liddicott <sam@liddicott.com>
Newsgroups: gnu.bash.bug
Subject: Re: %q with truncating size loses safeness of %q
Date: Sat, 18 Apr 2020 08:16:31 +0100
Lines: 65
Approved: bug-bash@gnu.org
Message-ID: <mailman.566.1587194221.3066.bug-bash@gnu.org>
References: <CAOj-5WCqxqh=Gcda9k6y4orQaQYXPgsOgNEOVN1AdZQrkCVbtg@mail.gmail.com> <4bacf2f0-9802-67d3-f30b-80e37d058a4a@case.edu> <22039.1587163072@jinx.noi.kre.to> <CAOj-5WDk0Y5O=NLvzOJSxohHJQkW4OLV0Me6NUyp_1EpnYx9jg@mail.gmail.com>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: usenet.stanford.edu 1587194222 8588 209.51.188.17 (18 Apr 2020 07:17:02 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: Chester Ramey <chet.ramey@case.edu>, bug-bash@gnu.org
To: Robert Elz <kre@munnari.oz.au>
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=liddicott-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=BaODHAZpKdIcRrf73SMEiHeMoC292QQUqFtUDDGepUE=; b=1c512mHTCpO1siV5sL3bMSKrn/BGtfw0VAgVqNcGkxJpKyh10rZMaCTpcZpRW99bdn wMqsaV6UgBD3elJE+KiXOxReFN3lYtJYUC5N3xvBPTWE8ct4/UIfPsXMBF/1lESXy0no G6KLGlPSJXRg3xQ/Z9YZvIX9uzv5EKUKBThAG5gUNzA3pLxySt0LO19hZ9KocC80tJQn AX+FkTa4VZJUGXCMK6dnirZgXzn2d4kCdtchqVGhY5eC9FUnr8bjrAQSpiLtiN0lw9vZ kCpXtS7PXOqAR/QTAlwN76738Pk8WikVGaCRx1G13XDl2NszjmlW6tWYrFHeObF5Zn2F Wirw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=BaODHAZpKdIcRrf73SMEiHeMoC292QQUqFtUDDGepUE=; b=RQv78lCBtfGsqPq4YxEyVIbcE+p1m43xgjcq0g+Sler4O+Pyja53/C1sXNOJM/MAwA W6xy77DfXZZzdaJRIrsyQk1tgcIWQ0Jzwb2gTWTDA1IvX+a+Pp0TAQSv6E5dvY2ZpgI3 OEQX49Gw1SPgoroaKoGb3LbcFsnVg11VTdOVwRmNqFxTn1Wtm6ZlACzImaG0r3ZYQuR2 aXNC7aMG/0wsNltOJRPY4FGTvk+HwhXC5TfQgw4bh5sEO+wRgE2jE0LC6PJH88l+GFj5 37DbH2JvL/QOFsSjZ832KYb7lWHBfJz/JBOw/+oUewygPnaHG4YKAflapdedr7g9YlAz ce5A==
X-Gm-Message-State: AGi0PuYMQlmF7eXeCjcplA/x3q+agyu8O+XVWPQ80FvybboqPWnKGyo2 dMuo+WwI37Q/3+Ti7/IDL1sJRCeY4olo+7EWUp6TQA==
X-Google-Smtp-Source: APiQypILJiHb3VXFuTEwUCV9Wz9Lff4bDbIlF3g6/60vvOEpj96FEtkq0dceXbMGkjRAJfDOxjfKbcWYljmqjYjxRDU=
X-Received: by 2002:a05:651c:449:: with SMTP id g9mr4314938ljg.278.1587194206116; Sat, 18 Apr 2020 00:16:46 -0700 (PDT)
In-Reply-To: <22039.1587163072@jinx.noi.kre.to>
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized.
X-Received-From: 2a00:1450:4864:20::229
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
X-Mailman-Original-Message-ID: <CAOj-5WDk0Y5O=NLvzOJSxohHJQkW4OLV0Me6NUyp_1EpnYx9jg@mail.gmail.com>
X-Mailman-Original-References: <CAOj-5WCqxqh=Gcda9k6y4orQaQYXPgsOgNEOVN1AdZQrkCVbtg@mail.gmail.com> <4bacf2f0-9802-67d3-f30b-80e37d058a4a@case.edu> <22039.1587163072@jinx.noi.kre.to>
Xref: csiph.com gnu.bash.bug:16164

In my case I was using process substitution to generate a dynamic bashrc
file as part of invoking an SDK environment.

Naturally those lines which emit environment variable assignments use %q

I had one build version tracking variable which was to be limited to 7
characters and set to a lowercase form of the username.

The most concise but surprisingly unsafe form is.

printf 'BUILD_VER_SUFFIX=%.7q\n' "${USER,,}"

That's clearly not artificially contrived; (though the user has the ability
to directly mess up their build environment anyway if they so wish).

The answer is obviously "don't do that" but it that requires a special
obscure knowledge which isn't documented.

Can we have bash printf to also not do that? Or if it must break the
security feature got which it exists can at least be documented?

I think I've made myself clear so I went harp on about it anymore unless I
find a more egregious opportunity for abuse.

Sam


On Fri, 17 Apr 2020, 23:38 Robert Elz, <kre@munnari.oz.au> wrote:

>     Date:        Fri, 17 Apr 2020 16:12:20 -0400
>     From:        Chet Ramey <chet.ramey@case.edu>
>     Message-ID:  <4bacf2f0-9802-67d3-f30b-80e37d058a4a@case.edu>
>
>   | I would say this is a programmer error.  The way precisions work with
>   | string arguments is that the argument is fetched or generated (this
>   | includes generating the quoted string for %q or the expanded string for
>   | %b) and then printf writes number of bytes (!) from that generated
> string
>   | specified by the precision.
>
> This happens only because of the cheap way we (and I presume you)
> implement things - in any rational scheme, it would take the precision
> chars from the source string, and then quote them.
>
> But that's hard - instead we just use printf to do the work, %q quotes
> the arg string, and then the 'q' is changed to a 's' in the format, and
> we just call printf(3) to do the work (padding, justification, ...)
>
> The only excuse for this is pragmatics, no-one would deliberately set
> out to design something quite that bogus.
>
> The end result is as Greg said, "Don't do that", if precisions are
> needed with %q do something like
>
>         printf 'echo %q%q\n' "$(printf %.2s "a'b")" ';ls'
>
> which produces
>
>         echo a\'\;ls
>
> which I expect is the desired result.
>
> kre
>
>