Devuan bug report logs - #734
report of tcsh square-bracket globbing bug

version graph

Package: tcsh; Maintainer for tcsh is (unknown); Source for tcsh is src:tcsh.

Reported by: "Robert M. Riches Jr." <rm.riches@jacob21819.net>

Date: Wed, 4 Jan 2023 03:48:01 UTC

Severity: critical

Tags: debian

Found in version 6.21.00-1.1

Fixed in version 6.21.00-2

Done: Mark Hindley <mark@hindley.org.uk>

Forwarded to https://bugs.debian.org/999754

Full log


🔗 View this message in rfc822 format

MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
X-Loop: owner@bugs.devuan.org
From: "Devuan bug Tracking System" <owner@bugs.devuan.org>
To: "Robert M. Riches Jr." <rm.riches@jacob21819.net>
Subject: bug#734 closed by Mark Hindley <mark@hindley.org.uk> (Re:
 bug#734: report of tcsh square-bracket globbing bug)
Message-ID: <handler.734.D734.167328229919019.notifdone@bugs.devuan.org>
References: <Y7xC4jCPbFwEXU/6@hindley.org.uk>
 <20230104034554.970D1283920@one.localnet>
X-Devuan-PR-Message: they-closed 734
X-Devuan-PR-Package: tcsh
X-Devuan-PR-Keywords: debian
Reply-To: 734@bugs.devuan.org
Date: Mon, 09 Jan 2023 16:40:03 +0000
Content-Type: multipart/mixed; boundary="----------=_1673282403-20595-1"
[Message part 1 (text/plain, inline)]
This is an automatic notification regarding your bug report
which was filed against the tcsh package:

#734: report of tcsh square-bracket globbing bug

It has been closed by Mark Hindley <mark@hindley.org.uk>.

Their explanation is attached below along with your original report.
If this explanation is unsatisfactory and you have not received a
better one in a separate message then please contact Mark Hindley <mark@hindley.org.uk> by
replying to this email.


-- 
734: https://bugs.devuan.org/cgi/bugreport.cgi?bug=734
Devuan Bug Tracking System
Contact owner@bugs.devuan.org with problems
[Message part 2 (message/rfc822, inline)]
From: Mark Hindley <mark@hindley.org.uk>
To: "Robert M. Riches Jr." <rm.riches@jacob21819.net>, 734-done@bugs.devuan.org
Subject: Re: bug#734: report of tcsh square-bracket globbing bug
Date: Mon, 9 Jan 2023 16:37:54 +0000
Version: 6.21.00-2

Closing as fixed in Debian 6.21.00-2

Mark
[Message part 3 (message/rfc822, inline)]
From: "Robert M. Riches Jr." <rm.riches@jacob21819.net>
To: submit@bugs.devuan.org
Subject: report of tcsh square-bracket globbing bug
Date: Tue, 03 Jan 2023 19:45:54 -0800
Package: tcsh
Version: 6.21.00-1.1
Severity: critical
Justification: causes serious data loss
Subject: tcsh: globbing false positives: [a-d]? and [a-d]* can delete unintended files like 21, 22, 23, etc.

Dear Maintainer,

(Apologies for sending this outside the reportbug tool.  The tool
refused to send it.  If this report gets accepted, I should file
bug reports against reportbug.)

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 4 (chimaera)
Release:	4
Codename:	chimaera
Architecture: x86_64

Kernel: Linux 5.10.0-20-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages tcsh depends on:
ii  libc6      2.31-13+deb11u5
ii  libcrypt1  1:4.4.18-4
ii  libtinfo6  6.2+20201114-2

tcsh recommends no packages.

tcsh suggests no packages.

-- no debconf information

Square-bracket globbing in this version of tcsh has false
positives, which can cause unintended files to be deleted
(perhaps without being noticed).

To reproduce: In an empty directory do these three commands:

    touch {a,b,c,d,2}{1,2,3}

    echo [a-d]*

    echo [a-d]?

Each of the echo commands prints this (modulo indentation):

    21 22 23 a1 a2 a3 b1 b2 b3 c1 c2 c3 d1 d2 d3

Each of the echo commands SHOULD print this (modulo indentation):

    a1 a2 a3 b1 b2 b3 c1 c2 c3 d1 d2 d3

The man page says this about a hyphen between square brackets:

    Within `[...]', a pair of characters separated by `-' matches
    any character lexically between the two.

"2" is _NOT_ lexically between "a" and "d".  Therefore, the
filenames that start with "2" should not be in the glob
expansion.

This bug can result in files being deleted that should not have
been deleted.

I'm told the bug is fixed in the latest upstream version and
possibly earlier.

Send a report that this bug log contains spam.


Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Mon Nov 25 09:55:51 2024;