Home | Devuan | Git | Forum | Packages | Popcon
Donate now!
Download

Devuan bug report logs - #734
report of tcsh square-bracket globbing bug

version graph

Package: tcsh; Maintainer for tcsh is (unknown); Source for tcsh is src:tcsh.

Reported by: "Robert M. Riches Jr." <rm.riches@jacob21819.net>

Date: Wed, 4 Jan 2023 03:48:01 UTC

Severity: critical

Tags: debian

Found in version 6.21.00-1.1

Fixed in version 6.21.00-2

Done: Mark Hindley <mark@hindley.org.uk>

Forwarded to https://bugs.debian.org/999754

Full log

Message #5 received at submit@bugs.devuan.org (full text, mbox, reply):

Received: (at submit) by bugs.devuan.org; 4 Jan 2023 03:46:41 +0000
Return-Path: <rm.riches@jacob21819.net>
Delivered-To: bugs@devuan.org
Received: from email.devuan.org [2001:41d0:2:d06e::5c4:2612]
	by doc.devuan.org with IMAP (fetchmail-6.4.16)
	for <debbugs@localhost> (single-drop); Wed, 04 Jan 2023 03:46:41 +0000 (UTC)
Received: from email.devuan.org
	by email.devuan.org with LMTP
	id 7VqKKXv2tGOwcgAAmSBk0A
	(envelope-from <rm.riches@jacob21819.net>)
	for <bugs@devuan.org>; Wed, 04 Jan 2023 03:46:03 +0000
Received: by email.devuan.org (Postfix, from userid 109)
	id 9C29E1267; Wed,  4 Jan 2023 03:46:03 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on email.devuan.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,RCVD_IN_DNSWL_NONE,SPF_PASS autolearn=ham
	autolearn_force=no version=3.4.6
Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=136.175.108.88; helo=mail-108-mta88.mxroute.com; envelope-from=rm.riches@jacob21819.net; receiver=<UNKNOWN> 
Received: from mail-108-mta88.mxroute.com (mail-108-mta88.mxroute.com [136.175.108.88])
	by email.devuan.org (Postfix) with ESMTPS id 7053FB11
	for <submit@bugs.devuan.org>; Wed,  4 Jan 2023 03:46:02 +0000 (UTC)
Received: from mail-111-mta2.mxroute.com ([136.175.111.2] filter006.mxroute.com)
 (Authenticated sender: mN4UYu2MZsgR)
 by mail-108-mta88.mxroute.com (ZoneMTA) with ESMTPSA id 1857ae2be08000011e.001
 for <submit@bugs.devuan.org>
 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256);
 Wed, 04 Jan 2023 03:45:58 +0000
X-Zone-Loop: a513a91697461ba46e44a92b00087a6743994c1add83
X-Originating-IP: [136.175.111.2]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=jacob21819.net; s=x; h=From:Message-Id:Subject:To:Date:Sender:Reply-To:Cc:
	MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
	Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
	:Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=0NnBZIZhfAypN8bbFsMSDNhX8uSa41pQOLaWDnBQ08k=; b=N2PPeGJOgy72hqhUoQKH6iBxW4
	gKZlsrQ7blFPLK0Qk6nPapj8oTfOZh12kqY1oLj6s1Shp2Y+N+4AfUfjmRwCX/My5FNVEzAMHA4X6
	erptGSjJOPALdwMlObf+hsB+Ic/+tVTq/qwBDtHmkuI6c/zyErpM/zRy9ne3+fz5sTOax09yK7iaE
	MazIRiEGgtTyOsoU/IATzet4vWFjoLZFjXP0Rc8Cq+tnwR2clsJ4dULauEzAtegWIwjx6CRr82YOv
	0g3BxArp4WoCBMEprqufk8E9dFKzS257Nkz/6cLyW3u7FLQGaWO2wNHzrFcJyPYierHh6qcq6dyl7
	bZKD6r0A==;
Date: Tue, 03 Jan 2023 19:45:54 -0800
To: submit@bugs.devuan.org
Subject: report of tcsh square-bracket globbing bug
User-Agent: s-nail v14.9.22
Message-Id: <20230104034554.970D1283920@one.localnet>
From: "Robert M. Riches Jr." <rm.riches@jacob21819.net>
X-Authenticated-Id: rm.riches@jacob21819.net

Package: tcsh
Version: 6.21.00-1.1
Severity: critical
Justification: causes serious data loss
Subject: tcsh: globbing false positives: [a-d]? and [a-d]* can delete unintended files like 21, 22, 23, etc.

Dear Maintainer,

(Apologies for sending this outside the reportbug tool.  The tool
refused to send it.  If this report gets accepted, I should file
bug reports against reportbug.)

-- System Information:
Distributor ID:	Devuan
Description:	Devuan GNU/Linux 4 (chimaera)
Release:	4
Codename:	chimaera
Architecture: x86_64

Kernel: Linux 5.10.0-20-amd64 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
LSM: AppArmor: enabled

Versions of packages tcsh depends on:
ii  libc6      2.31-13+deb11u5
ii  libcrypt1  1:4.4.18-4
ii  libtinfo6  6.2+20201114-2

tcsh recommends no packages.

tcsh suggests no packages.

-- no debconf information

Square-bracket globbing in this version of tcsh has false
positives, which can cause unintended files to be deleted
(perhaps without being noticed).

To reproduce: In an empty directory do these three commands:

    touch {a,b,c,d,2}{1,2,3}

    echo [a-d]*

    echo [a-d]?

Each of the echo commands prints this (modulo indentation):

    21 22 23 a1 a2 a3 b1 b2 b3 c1 c2 c3 d1 d2 d3

Each of the echo commands SHOULD print this (modulo indentation):

    a1 a2 a3 b1 b2 b3 c1 c2 c3 d1 d2 d3

The man page says this about a hyphen between square brackets:

    Within `[...]', a pair of characters separated by `-' matches
    any character lexically between the two.

"2" is _NOT_ lexically between "a" and "d".  Therefore, the
filenames that start with "2" should not be in the glob
expansion.

This bug can result in files being deleted that should not have
been deleted.

I'm told the bug is fixed in the latest upstream version and
possibly earlier.

Send a report that this bug log contains spam.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Mon Nov 25 09:48:17 2024;