Re: Parameter expansion fails when assigning a local variable

[Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@xxxxxxxx>]

On Tue, 30 Jun 2009, Herbert Xu wrote:

> On Mon, Jun 29, 2009 at 07:10:29PM +0200, Cristian Ionescu-Idbohrn wrote:
> >
> > Please consider this example script:
> >
> > ---8<---
> > #!/bin/dash
> >
> > set -e
> > #set -x
> >
> > func() {
> > 	local i=0 v xx="$@"
> >
> > 	for v; do
> > 		i=$(($i + 1))
> > 		echo "func arg. $i: '$v'"
> > 	done
> > 	echo "inside func: NOONE_SHOULD_TOUCH_THIS=$NOONE_SHOULD_TOUCH_THIS"
> > }
> >
> > NOONE_SHOULD_TOUCH_THIS=protected
> > echo "main, bef. func: NOONE_SHOULD_TOUCH_THIS=$NOONE_SHOULD_TOUCH_THIS"
> > func "$@"
> > echo "main, aft. func: NOONE_SHOULD_TOUCH_THIS=$NOONE_SHOULD_TOUCH_THIS"
> >
> > exit 0
> > ---8<---
> >
> > and run the script like this:
> >
> > 	$ <script path> abc NOONE_SHOULD_TOUCH_THIS=overwritten
> >
> > Is it the intended behaviour?  Should one be able to overwrite script
> > function variables from command line?
>
> As I said, you should be using "$*" instead of "$@" which is
> designed exactly for this purpose and is completely portable.

Sure I will.  But that won't make the misfeature go away :(

And, by the way, I think the bug should probably be classified as a design
flaw and a security bug.  Reason is it has undesired side effects which
may lead to overwriting unrelated local variables and may have other
serious implications.


Cheers,

-- 
Cristian
--
To unsubscribe from this list: send the line "unsubscribe dash" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html