bin/151720: sh(1): parser accepts invalid syntax without reporting an error

Mark Johnston markjdb at gmail.com
Mon Oct 25 17:10:10 UTC 2010 

>Number:         151720
>Category:       bin
>Synopsis:       sh(1): parser accepts invalid syntax without reporting an error
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 25 17:10:09 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Mark Johnston
>Release:        8.1-RELEASE
>Organization:
>Environment:
FreeBSD mark-laptop-bsd.mark-home 8.1-RELEASE FreeBSD 8.1-RELEASE #2: Tue Oct 19 21:08:25 EDT 2010     root at mark-laptop-bsd.mark-home:/usr/obj/usr/src/sys/GENERIC_BCM  i386
>Description:
One can use sh(1)'s '${#var}' syntax to get the length of the string referenced by var, or 0 if var is unset. However, in this case sh(1) doesn't verify that var is a valid variable name. For instance:

$ foo=bar
$ echo ${#foo}
3
$ echo ${#foo^^&$}
3
$ echo ${#foo?&$#$^%$#^%#$%^$#%}
3
$

and so on. bash and zsh correctly reject the last two expressions with a 'bad substitution' error as one would expect.
>How-To-Repeat:
Run sh(1) and try the above examples.
>Fix:
I've submitted a patch which fixes the parser. I've also attached a regression test to go into tools/regression/bin/sh/errors. With the patch, I get:

$ foo=bar
$ echo ${#foo}
3
$ echo ${#foo^^&$}
${foo...}: Bad substitution
$ echo ${#foo?&$#$^%$#^%#$%^$#%}
${foo...}: Bad substitution
$

Note that valid expressions such as '${#?}', '${#-}' and '${##}' are still handled properly with this patch.

Patch attached with submission follows:

diff --git a/bin/sh/parser.c b/bin/sh/parser.c
index c51ab48..40249f5 100644
--- a/bin/sh/parser.c
+++ b/bin/sh/parser.c
@@ -1283,6 +1283,8 @@ parsesub: {
 				}
 			}
 		} else if (subtype != VSERROR) {
+			if (subtype == VSLENGTH && c != '}')
+				subtype = VSERROR;
 			pungetc();
 		}
 		STPUTC('=', out);
diff --git a/tools/regression/bin/sh/errors/bad-parm-exp6.2 b/tools/regression/bin/sh/errors/bad-parm-exp6.2
new file mode 100644
index 0000000..6d4b5c2
--- /dev/null
+++ b/tools/regression/bin/sh/errors/bad-parm-exp6.2
@@ -0,0 +1 @@
+${#foo^}
diff --git a/tools/regression/bin/sh/errors/bad-parm-exp6.2.stderr b/tools/regression/bin/sh/errors/bad-parm-exp6.2.stderr
new file mode 100644
index 0000000..dbf14b5
--- /dev/null
+++ b/tools/regression/bin/sh/errors/bad-parm-exp6.2.stderr
@@ -0,0 +1 @@
+./errors/bad-parm-exp6.2: ${foo...}: Bad substitution


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list