Bug#767655: bash: Quoted tilde expands in parameter substitution

Sat, 01 Nov 2014 10:39:40 -0700 

Package: bash
Version: 4.3-11
Severity: normal

On Jessie, calling `echo "${FOO/bar/~}"` now always expands the tilde to
`$HOME`.  On Wheezy (4.2+dfsg-0.1+deb7u3) the tilde is not expanded, as
well as on latest Fedora and RHEL7 (can't say the exact versions now).

Following code can be used as reproducer:

    FOO=bar
    echo "${FOO/a/~}" | grep \~

Above construct should replace `a` with `~` and print `b~r`, but
instead it replaces `a` with whatever contents of your HOME variable
are.


Further notes
-------------

Bash is not particularly clear about this in the manpage:

> If a word begins with an unquoted tilde character (`~'), all of the
> characters preceding the first unquoted slash (or all characters,
> if there is no unquoted slash) are considered a tilde-prefix.
> If none of the characters in the tilde-prefix are quoted, the
> characters in the tilde-prefix following the tilde are treated as
> a  possible login  name.  If this login name is the null string,
> the tilde is replaced with the value of the shell parameter HOME.
> [...]

I mean, is the tilde considered quoted, since it's in a quoted
argument, or unquoted since it's not quoted as of itself.

Quoting the tilde itself, i.e. `echo "${FOO/a/"~"}"` does bring desiired
behavior but fails on other mentioned versions--here `b"a"r` is printed.
(Same holds for backslash quoting).

Omitting the outer quotes from the expression *and* quoting the tilde by
itself

    echo ${FOO/a/"~"}

seems to print `b~r` everywhere, although it's dangerous workaround from
security POV.




-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bash depends on:
ii  base-files   7.6
ii  dash         0.5.7-4
ii  debianutils  4.4
ii  libc6        2.19-11
ii  libncurses5  5.9+20140913-1
ii  libtinfo5    5.9+20140913-1

Versions of packages bash recommends:
ii  bash-completion  1:2.1-4

Versions of packages bash suggests:
pn  bash-doc  <none>

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to