Follow-up Comment #4, bug #64816 (project findutils):

> Actually, NUL-terminated processing is the safest way of
> file name processing with tools in shells

Yes, but most of the POSIX shell and utilities have no support for printing or
reading NUL delimited, it's only GNU extensions (well there will actually be
some limited support in the next revision of POSIX, see
https://austingroupbugs.net/view.php?id=243 ... but as far as I can see, this
is only for xargs and read).

So once POSIX' read has -d (as specified now in POSIX and e.g. already used in
bash) it will be possible to read a list of NUL delimited strings into shell
variables.

But most other standard utilities like grep, sed, wc or shell language
elements like command substitution do not support NUL delimited modes.
Thus many things will still not be possible.


> The point here is that the output should be safe no matter
> what malicious file an attacker might have placed, i.e., it
> should not disturb the terminal settings. 

Isn't that also what I'm asking for with a --quoting-style= option?
If quoted properly, the output could be re-used as literal in the shell,
without the need to read everything line by line with the future IFS='' read
-r -d '' ... and even with that some things will still be impossible, e.g.
re-use the read string in eval, since POSIX' printf won't have %q yet.


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?64816>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/


Reply via email to