On Thu, Feb 27, 2025, at 12:43 PM, Michel Lind wrote: > Hi all, > > A heads-up that I'm preparing a rebase of Fish in EPEL 9 to address this > CVE > > https://bugzilla.redhat.com/show_bug.cgi?id=2253972 > >> Code execution does not appear to be possible, but denial of service (through large brace expansion) or information disclosure (such as variable expansion) is potentially possible under certain circumstances > > It's not a high severity, and there are several very minor behavioral > changes in every 3.Y.0 minor releases since 3.3.1, so I figure I'll play > it safe and treat it as an incompatible update and flag it to this list > first. > Pagure issue: https://pagure.io/epel/issue/320 Changelog: https://github.com/fish-shell/fish-shell/blob/master/CHANGELOG.rst The "breaking" changes are listed below 3.7.0 - Deprecations and removed features ----------------------------------------- - ``LS_COLORS`` is no longer set automatically by the ``ls`` function (:issue:`10080`). Users that set ``.dircolors`` should manually import it using other means. Typically this would be ``set -gx LS_COLORS (dircolors -c .dircolors | string split ' ')[3]`` 3.6.0 - Deprecations and removed features ----------------------------------------- - The ``\x`` and ``\X`` escape syntax is now equivalent. ``\xAB`` previously behaved the same as ``\XAB``, except that it would error if the value "AB" was larger than "7f" (127 in decimal, the highest ASCII value) (:issue:`9247`, :issue:`9245`, :issue:`1352`). - The ``fish_git_prompt`` will now only turn on features if the appropriate variable has been set to a true value (of "1", "yes" or "true") instead of just checking if it is defined. This allows specifically turning features *off* without having to erase variables, such as via universal variables. If you have defined a variable to a different value and expect it to count as true, you need to change it (:issue:`9274`). For example, ``set -g __fish_git_prompt_show_informative_status 0`` previously would have enabled informative status (because any value would have done so), but now it turns it off. - Abbreviations are no longer stored in universal variables. Existing universal abbreviations are still imported, but new abbreviations should be added to ``config.fish``. - The short option ``-r`` for abbreviations has changed from ``rename`` to ``regex``, for consistency with ``string``. 3.5.0 - Deprecations and removed features ----------------------------------------- - The ``stderr-nocaret`` feature flag, introduced in fish 3.0 and enabled by default in fish 3.1, has been made read-only. That means it is no longer possible to disable it, and code supporting the ``^`` redirection has been removed (:issue:`8857`, :issue:`8865`). To recap: fish used to support ``^`` to redirect stderr, so you could use commands like:: test "$foo" -gt 8 ^/dev/null to ignore error messages. This made the ``^`` symbol require escaping and quoting, and was a bit of a weird shortcut considering ``2>`` already worked, which is only one character longer. So the above can simply become:: test "$foo" -gt 8 2>/dev/null - The following feature flags have been enabled by default: - ``regex-easyesc``, which makes ``string replace -r`` not do a superfluous round of unescaping in the replacement expression. That means e.g. to escape any "a" or "b" in an argument you can use ``string replace -ra '([ab])' '\\\\$1' foobar`` instead of needing 8 backslashes. This only affects the *replacement* expression, not the *match* expression (the ``'([ab])'`` part in the example). A survey of plugins on GitHub did not turn up any affected code, so we do not expect this to affect many users. This flag was introduced in fish 3.1. - ``ampersand-nobg-in-token``, which means that ``&`` will not create a background job if it occurs in the middle of a word. For example, ``echo foo&bar`` will print "foo&bar" instead of running ``echo foo`` in the background and then starting ``bar`` as a second job. Reformatting with ``fish_indent`` would already introduce spaces, turning ``echo foo&bar`` into ``echo foo & bar``. This flag was introduced in fish 3.4. To turn off these flags, add ``no-regex-easyesc`` or ``no-ampersand-nobg-in-token`` to :envvar:`fish_features` and restart fish:: set -Ua fish_features no-regex-easyesc Like ``stderr-nocaret``, they will eventually be made read-only. - Most ``string`` subcommands no longer append a newline to their input if the input didn't have one (:issue:`8473`, :issue:`3847`) - Fish's escape sequence removal (like for ``string length --visible`` or to figure out how wide the prompt is) no longer has special support for non-standard color sequences like from Data General terminals, e.g. the Data General Dasher D220 from 1984. This removes a bunch of work in the common case, allowing ``string length --visible`` to be much faster with unknown escape sequences. We don't expect anyone to have ever used fish with such a terminal (:issue:`8769`). - Code to upgrade universal variables from fish before 3.0 has been removed. Users who upgrade directly from fish versions 2.7.1 or before will have to set their universal variables & abbreviations again. (:issue:`8781`) - The meaning of an empty color variable has changed (:issue:`8793`). Previously, when a variable was set but empty, it would be interpreted as the "normal" color. Now, empty color variables cause the same effect as unset variables - the general highlighting variable for that type is used instead. For example:: set -g fish_color_command blue set -g fish_color_keyword would previously make keywords "normal" (usually white in a dark terminal). Now it'll make them blue. To achieve the previous behavior, use the normal color explicitly: ``set -g fish_color_keyword normal``. This makes it easier to make self-contained color schemes that don't accidentally use color that was set before. ``fish_config`` has been adjusted to set known color variables that a theme doesn't explicitly set to empty. - ``eval`` is now a reserved keyword, so it can't be used as a function name. This follows ``set`` and ``read``, and is necessary because it can't be cleanly shadowed by a function - at the very least ``eval set -l argv foo`` breaks. Fish will ignore autoload files for it, so left over ``eval.fish`` from previous fish versions won't be loaded. - The git prompt in informative mode now defaults to skipping counting untracked files, as this was extremely slow. To turn it on, set :envvar:`__fish_git_prompt_showuntrackedfiles` or set the git config value "bash.showuntrackedfiles" to ``true`` explicitly (which can be done for individual repositories). The "informative+vcs" sample prompt already skipped display of untracked files, but didn't do so in a way that skipped the computation, so it should be quite a bit faster in many cases (:issue:`8980`). - The ``__terlar_git_prompt`` function, used by the "Terlar" sample prompt, has been rebuilt as a configuration of the normal ``fish_git_prompt`` to ease maintenance, improve performance and add features (like reading per-repo git configuration). Some slight changes remain; users who absolutely must have the same behavior are encouraged to copy the old function (:issue:`9011`, :issue:`7918`, :issue:`8979`). 3.4.0 - Deprecations and removed features --------------------------------- - A new feature flag, ``ampersand-nobg-in-token`` makes ``&`` only act as background operator if followed by a separator. In combination with ``qmark-noglob``, this allows entering most URLs at the command line without quoting or escaping (:issue:`7991`). For example:: > echo foo&bar # will print "foo&bar", instead of running "echo foo" in the background and executing "bar" > echo foo & bar # will still run "echo foo" in the background and then run "bar" # with both ampersand-nobg-in-token and qmark-noglob, this argument has no special characters anymore > open https://www.youtube.com/watch?v=dQw4w9WgXcQ&feature=youtu.be As a reminder, feature flags can be set on startup with ``fish --features ampersand-nobg-in-token,qmark-noglob`` or with a universal variable called ``fish_features``:: > set -Ua fish_features ampersand-nobg-in-token - ``$status`` is now forbidden as a command, to prevent a surprisingly common error among new users: Running ``if $status`` (:issue:`8171`). This applies *only* to ``$status``, other variables are still allowed. - ``set --query`` now returns an exit status of 255 if given no variable names. This means ``if set -q $foo`` will not enter the if-block if ``$foo`` is empty or unset. To restore the previous behavior, use ``if not set -q foo; or set -q $foo`` - but this is unlikely to be desirable (:issue:`8214`). - ``_`` is now a reserved keyword (:issue:`8342`). - The special input functions ``delete-or-exit``, ``nextd-or-forward-word`` and ``prevd-or-backward-word`` replace fish functions of the same names (:issue:`8538`). - Mac OS X 10.9 is no longer supported. The minimum Mac version is now 10.10 "Yosemite." Best regards, -- _o) Michel Lind _( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2 README: https://fedoraproject.org/wiki/User:Salimma#README -- _______________________________________________ epel-devel mailing list -- epel-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to epel-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/epel-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
