From nobody@FreeBSD.org  Mon Oct 25 17:07:27 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6E5EA106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 25 Oct 2010 17:07:27 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 4222B8FC1C
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 25 Oct 2010 17:07:27 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o9PH7RSP045894
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 25 Oct 2010 17:07:27 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o9PH7Rsu045893;
	Mon, 25 Oct 2010 17:07:27 GMT
	(envelope-from nobody)
Message-Id: <201010251707.o9PH7Rsu045893@www.freebsd.org>
Date: Mon, 25 Oct 2010 17:07:27 GMT
From: Mark Johnston <markjdb@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: sh(1): parser accepts invalid syntax without reporting an error
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         151720
>Category:       bin
>Synopsis:       [patch] sh(1): parser accepts invalid syntax without reporting an error
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    jilles
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 25 17:10:09 UTC 2010
>Closed-Date:    Wed May 04 21:57:43 UTC 2011
>Last-Modified:  Wed May 04 21:57:43 UTC 2011
>Originator:     Mark Johnston
>Release:        8.1-RELEASE
>Organization:
>Environment:
FreeBSD mark-laptop-bsd.mark-home 8.1-RELEASE FreeBSD 8.1-RELEASE #2: Tue Oct 19 21:08:25 EDT 2010     root@mark-laptop-bsd.mark-home:/usr/obj/usr/src/sys/GENERIC_BCM  i386
>Description:
One can use sh(1)'s '${#var}' syntax to get the length of the string referenced by var, or 0 if var is unset. However, in this case sh(1) doesn't verify that var is a valid variable name. For instance:

$ foo=bar
$ echo ${#foo}
3
$ echo ${#foo^^&$}
3
$ echo ${#foo?&$#$^%$#^%#$%^$#%}
3
$

and so on. bash and zsh correctly reject the last two expressions with a 'bad substitution' error as one would expect.
>How-To-Repeat:
Run sh(1) and try the above examples.
>Fix:
I've submitted a patch which fixes the parser. I've also attached a regression test to go into tools/regression/bin/sh/errors. With the patch, I get:

$ foo=bar
$ echo ${#foo}
3
$ echo ${#foo^^&$}
${foo...}: Bad substitution
$ echo ${#foo?&$#$^%$#^%#$%^$#%}
${foo...}: Bad substitution
$

Note that valid expressions such as '${#?}', '${#-}' and '${##}' are still handled properly with this patch.

Patch attached with submission follows:

diff --git a/bin/sh/parser.c b/bin/sh/parser.c
index c51ab48..40249f5 100644
--- a/bin/sh/parser.c
+++ b/bin/sh/parser.c
@@ -1283,6 +1283,8 @@ parsesub: {
 				}
 			}
 		} else if (subtype != VSERROR) {
+			if (subtype == VSLENGTH && c != '}')
+				subtype = VSERROR;
 			pungetc();
 		}
 		STPUTC('=', out);
diff --git a/tools/regression/bin/sh/errors/bad-parm-exp6.2 b/tools/regression/bin/sh/errors/bad-parm-exp6.2
new file mode 100644
index 0000000..6d4b5c2
--- /dev/null
+++ b/tools/regression/bin/sh/errors/bad-parm-exp6.2
@@ -0,0 +1 @@
+${#foo^}
diff --git a/tools/regression/bin/sh/errors/bad-parm-exp6.2.stderr b/tools/regression/bin/sh/errors/bad-parm-exp6.2.stderr
new file mode 100644
index 0000000..dbf14b5
--- /dev/null
+++ b/tools/regression/bin/sh/errors/bad-parm-exp6.2.stderr
@@ -0,0 +1 @@
+./errors/bad-parm-exp6.2: ${foo...}: Bad substitution


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->jilles 
Responsible-Changed-By: arundel 
Responsible-Changed-When: Tue Oct 26 01:37:05 UTC 2010 
Responsible-Changed-Why:  
Probably something jilles has an opinion about. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151720 
State-Changed-From-To: open->analyzed 
State-Changed-By: jilles 
State-Changed-When: Tue Oct 26 21:06:34 UTC 2010 
State-Changed-Why:  
This looks sensible, but needs more testing. 
I am adding it to my patch queue. 
Nitpick: the error message does not show the '#' but it may not be 
worth the additional code to fix that. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151720 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/151720: commit references a PR
Date: Wed,  4 May 2011 21:49:44 +0000 (UTC)

 Author: jilles
 Date: Wed May  4 21:49:34 2011
 New Revision: 221461
 URL: http://svn.freebsd.org/changeset/base/221461
 
 Log:
   sh: Detect an error for ${#var<GARBAGE>}.
   
   In particular, this makes things like ${#foo[0]} and ${#foo[@]} errors
   rather than silent equivalents of ${#foo}.
   
   PR:		bin/151720
   Submitted by:	Mark Johnston
   Exp-run done by: pav (with some other sh(1) changes)
 
 Added:
   head/tools/regression/bin/sh/errors/bad-parm-exp6.2   (contents, props changed)
   head/tools/regression/bin/sh/errors/bad-parm-exp6.2.stderr   (contents, props changed)
 Modified:
   head/bin/sh/parser.c
 
 Modified: head/bin/sh/parser.c
 ==============================================================================
 --- head/bin/sh/parser.c	Wed May  4 21:27:05 2011	(r221460)
 +++ head/bin/sh/parser.c	Wed May  4 21:49:34 2011	(r221461)
 @@ -1569,6 +1569,8 @@ varname:
  				}
  			}
  		} else if (subtype != VSERROR) {
 +			if (subtype == VSLENGTH && c != '}')
 +				subtype = VSERROR;
  			pungetc();
  		}
  		STPUTC('=', out);
 
 Added: head/tools/regression/bin/sh/errors/bad-parm-exp6.2
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/tools/regression/bin/sh/errors/bad-parm-exp6.2	Wed May  4 21:49:34 2011	(r221461)
 @@ -0,0 +1,2 @@
 +# $FreeBSD$
 +${#foo^}
 
 Added: head/tools/regression/bin/sh/errors/bad-parm-exp6.2.stderr
 ==============================================================================
 --- /dev/null	00:00:00 1970	(empty, because file is newly added)
 +++ head/tools/regression/bin/sh/errors/bad-parm-exp6.2.stderr	Wed May  4 21:49:34 2011	(r221461)
 @@ -0,0 +1 @@
 +./errors/bad-parm-exp6.2: ${foo...}: Bad substitution
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: analyzed->closed 
State-Changed-By: jilles 
State-Changed-When: Wed May 4 21:56:52 UTC 2011 
State-Changed-Why:  
Applied to 9-CURRENT, thanks! 
No MFC is planned because this is an incompatible change. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=151720 
>Unformatted:
