On Wed, Jan 24, 2018 at 04:15:24PM +0100, [email protected] wrote:
> I found a bug in ksh's parameter expansion on an edge case:
>
> true $(true "${USER#'"'}")
>
> /home/sh[4]: no closing quote
>
> The problem seems to occurs when all of these conditions are present:
>
> 1. On ${var#pattern} or ${var%pattern} parameter expansion
> 2. When the pattern contains a singly quoted double quote: '"'
> 3. While expansion occurs withing $(...), (but not `...`)
> 4. While the expansion is quoted: "${var#pattern}".
>
> true can be replaced by other commands or var=...
> if '"' gets replaced by \", the issue disappear
>
> The bin/ksh/lex.c seems to use a big switch+goto table with one label
> per grammar context. Maybe by jumping from context to context in a
> specific pattern like above is producing the issue.
>
> I did try to figure out where, but I lack time for now.
>
> I hope the problem does not come from my way to test it and that it
> have not been fixed.
>
> $ uname -a # also tested with /bin/ksh
> OpenBSD t470s 6.2 GENERIC.MP#134 amd64
>
> $ cvs co bin/ksh/; cd bin/ksh; make
> [...]
>
> $ ./ksh ~/sh
> /home/sh[4]: no closing quote
For the record, probably related to this:
$ pwd
/usr/src/bin/ksh
$ sed -n 474,479p lex.c
case SCSPAREN: /* $( .. ) */
/* todo: deal with $(...) quoting properly
* kludge to partly fake quoting inside $(..): doesn't
* really work because nested $(..) or ${..} inside
* double quotes aren't dealt with.
*/
