Skip Menu |
Report information
Id: 129183
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors:
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)

Attachments
0001-perl-129183-don-t-treat-as-an-escape-in-PATH-for-S.patch



Subject: perl -S erroneously allows \ escapes in PATH
Download (untitled) / with headers
text/plain 679b
On Unix, entries in PATH are separated by : and may validly contain backslashes. ‘perl -S’ erroneously To demonstrate: $ mkdir ~/'\' $ cat > ~/'\'/foo #!/usr/bin/perl print "Hahaha!\n"; ^D $ chmod +x ~/'\'/foo $ PATH=~/'\':$PATH foo Hahaha! $ PATH=~/'\':$PATH perl -S foo Can't find foo on PATH. $ echo $PATH /Users/sprout/\:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/bin perl is reading the initial ‘/Users/sprout/\:/usr/bin’ as one PATH entry, which is wrong. The Perl_find_script function in util.c uses delimcpy to find the colon. delimcpy allows the terminator to be escaped, which is inappropriate for this call site. -- Father Chrysostomos
Date: Sat, 03 Sep 2016 22:15:11 +0200
To: perl5-porters [...] perl.org
From: Tomasz Konojacki <me [...] xenu.pl>
Subject: Re: [perl #129183] perl -S erroneously allows \ escapes in PATH
Download (untitled) / with headers
text/plain 485b
On Sat, 3 Sep 2016 12:24:34 -0500 "Craig A. Berry" <craig.a.berry@gmail.com> wrote: Show quoted text
> But isn't colon technically legal (if inadvisable) in a Unix filename? > How would you get one of those in your PATH if you can't escape it?
According to POSIX, it's impossible: Show quoted text
> Since <colon> is a separator in this context, directory names that might > be used in PATH should not include a <colon> character.
http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 728b
On Sat Sep 03 13:15:40 2016, me@xenu.pl wrote: Show quoted text
> On Sat, 3 Sep 2016 12:24:34 -0500 > "Craig A. Berry" <craig.a.berry@gmail.com> wrote: >
> > But isn't colon technically legal (if inadvisable) in a Unix > > filename? > > How would you get one of those in your PATH if you can't escape it?
> > According to POSIX, it's impossible: >
> > Since <colon> is a separator in this context, directory names that > > might > > be used in PATH should not include a <colon> character.
> > http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03
Indeed, as I demonstrated, if you do try to escape a colon, it will not be escaped. The OS will treat \ as the last character of a path. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 987b
On Sat Sep 03 13:20:14 2016, sprout wrote: Show quoted text
> On Sat Sep 03 13:15:40 2016, me@xenu.pl wrote:
> > On Sat, 3 Sep 2016 12:24:34 -0500 > > "Craig A. Berry" <craig.a.berry@gmail.com> wrote: > >
> > > But isn't colon technically legal (if inadvisable) in a Unix > > > filename? > > > How would you get one of those in your PATH if you can't escape > > > it?
> > > > According to POSIX, it's impossible: > >
> > > Since <colon> is a separator in this context, directory names that > > > might > > > be used in PATH should not include a <colon> character.
> > > > http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03
> > Indeed, as I demonstrated, if you do try to escape a colon, it will > not be escaped. The OS will treat \ as the last character of a path.
Speaking of which, does VMS allow \ to escape a path separator? Also, if the path separator is sometimes | on VMS, then is the code in util.c:find_script even correct for VMS? -- Father Chrysostomos
To: Craig Berry via RT <perlbug-followup [...] perl.org>
Date: Sat, 3 Sep 2016 16:58:51 -0500
Subject: Re: [perl #129183] perl -S erroneously allows \ escapes in PATH
From: "Craig A. Berry" <craig.a.berry [...] gmail.com>
CC: "Perl5 Porters (E-mail)" <perl5-porters [...] perl.org>
Download (untitled) / with headers
text/plain 973b
On Sat, Sep 3, 2016 at 3:20 PM, Father Chrysostomos via RT <perlbug-followup@perl.org> wrote: Show quoted text
> On Sat Sep 03 13:15:40 2016, me@xenu.pl wrote:
>> On Sat, 3 Sep 2016 12:24:34 -0500 >> "Craig A. Berry" <craig.a.berry@gmail.com> wrote: >>
>> > But isn't colon technically legal (if inadvisable) in a Unix >> > filename? >> > How would you get one of those in your PATH if you can't escape it?
>> >> According to POSIX, it's impossible: >>
>> > Since <colon> is a separator in this context, directory names that >> > might >> > be used in PATH should not include a <colon> character.
>> >> http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_03
> > Indeed, as I demonstrated, if you do try to escape a colon, it will not be escaped. The OS will treat \ as the last character of a path.
Ah, good. I had understood you to be saying that it did escape it and that's why you got one PATH entry for something that had an escaped colon in the middle.
To: Craig Berry via RT <perlbug-followup [...] perl.org>
Date: Sat, 3 Sep 2016 17:11:24 -0500
Subject: Re: [perl #129183] perl -S erroneously allows \ escapes in PATH
From: "Craig A. Berry" <craig.a.berry [...] gmail.com>
CC: "Perl5 Porters (E-mail)" <perl5-porters [...] perl.org>
On Sat, Sep 3, 2016 at 3:29 PM, Father Chrysostomos via RT <perlbug-followup@perl.org> wrote: Show quoted text
> On Sat Sep 03 13:20:14 2016, sprout wrote:
>> The OS will treat \ as the last character of a path.
> > Speaking of which, does VMS allow \ to escape a path separator? Also, if the path separator is sometimes | on VMS, then is the code in util.c:find_script even correct for VMS?
For purposes of -S, it doesn't look like path separators are involved at all on VMS. That's because it's not looking in PATH, it's looking in DCL$PATH, which is a search list logical name, meaning it's an ordered list that you iterate through, so there is no separator between elements because the elements are already distinct entries. Now that you mention it, though, -S is probably doing the wrong thing for case when running on VMS but under a Unix shell rather than DCL. I guess I'd have to make all the compile-time checks into run-time checks in Perl_find_script(). PERL5LIB tries to do both, i.e., function as a search list or as a single item with separators.
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 247b
On Fri Sep 02 22:28:05 2016, sprout wrote: Show quoted text
> The Perl_find_script function in util.c uses delimcpy to find the > colon. delimcpy allows the terminator to be escaped, which is > inappropriate for this call site.
So use delimcpy_no_escape()? Tony
Subject: 0001-perl-129183-don-t-treat-as-an-escape-in-PATH-for-S.patch
From a6a25977bac8954bedc8ce17c9429a38535e57a1 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Wed, 12 Oct 2016 10:42:47 +1100 Subject: (perl 129183) don't treat \ as an escape in PATH for -S --- util.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/util.c b/util.c index a69ddad..c6727bb 100644 --- a/util.c +++ b/util.c @@ -3455,9 +3455,8 @@ Perl_find_script(pTHX_ const char *scriptname, bool dosearch, if (len < sizeof tmpbuf) tmpbuf[len] = '\0'; # else - s = delimcpy(tmpbuf, tmpbuf + sizeof tmpbuf, s, bufend, - ':', - &len); + s = delimcpy_no_escape(tmpbuf, tmpbuf + sizeof tmpbuf, s, bufend, + ':', &len); # endif if (s < bufend) s++; -- 2.1.4
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 493b
On Tue Oct 11 16:44:52 2016, tonyc wrote: Show quoted text
> On Fri Sep 02 22:28:05 2016, sprout wrote:
> > The Perl_find_script function in util.c uses delimcpy to find the > > colon. delimcpy allows the terminator to be escaped, which is > > inappropriate for this call site.
> > So use delimcpy_no_escape()?
Yes. (At the time I reported it, I was looking for buggy users of delimcpy, and I correctly surmised that I would not have time to fix them all, hence this bug report.) -- Father Chrysostomos
Subject: Re: [perl #129183] perl -S erroneously allows \ escapes in PATH
To: "Perl5 Porters (E-mail)" <perl5-porters [...] perl.org>
Date: Sat, 3 Sep 2016 12:24:34 -0500
CC: bugs-bitbucket [...] rt.perl.org
From: "Craig A. Berry" <craig.a.berry [...] gmail.com>
Download (untitled) / with headers
text/plain 1.1k
On Sat, Sep 3, 2016 at 12:28 AM, Father Chrysostomos <perlbug-followup@perl.org> wrote: Show quoted text
> # New Ticket Created by Father Chrysostomos > # Please include the string: [perl #129183] > # in the subject line of all future correspondence about this issue. > # <URL: https://rt.perl.org/Ticket/Display.html?id=129183 > > > > On Unix, entries in PATH are separated by : and may validly contain backslashes. ‘perl -S’ erroneously > > To demonstrate: > > $ mkdir ~/'\' > $ cat > ~/'\'/foo > #!/usr/bin/perl > print "Hahaha!\n"; > ^D > $ chmod +x ~/'\'/foo > $ PATH=~/'\':$PATH foo > Hahaha! > $ PATH=~/'\':$PATH perl -S foo > Can't find foo on PATH. > $ echo $PATH > /Users/sprout/\:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/bin > > perl is reading the initial ‘/Users/sprout/\:/usr/bin’ as one PATH entry, which is wrong. > > The Perl_find_script function in util.c uses delimcpy to find the colon. delimcpy allows the terminator to be escaped, which is inappropriate for this call site.
But isn't colon technically legal (if inadvisable) in a Unix filename? How would you get one of those in your PATH if you can't escape it?
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 689b
On Sat, 28 Jan 2017 16:42:24 -0800, craig.a.berry@gmail.com wrote: Show quoted text
> On Sat, Sep 3, 2016 at 12:28 AM, Father Chrysostomos > <perlbug-followup@perl.org> wrote:
> > The Perl_find_script function in util.c uses delimcpy to find the > > colon. delimcpy allows the terminator to be escaped, which is > > inappropriate for this call site.
> > But isn't colon technically legal (if inadvisable) in a Unix filename? > How would you get one of those in your PATH if you can't escape it?
That's covered by the original quote from POSIX: directory names that might be used in PATH should not include a <colon> character. I've applied my patch as e80af1fd276d83858d27742ea887415e3263960b Tony
Download (untitled) / with headers
text/plain 317b
Thank you for filing this report. You have helped make Perl better. With the release yesterday of Perl 5.28.0, this and 185 other issues have been resolved. Perl 5.28.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.28.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org