Re: printf(1), sh(1), POSIX.2 and octal escape sequences

[tlaronde%polynum.com@localhost]

Le Wed, Jun 28, 2023 at 06:06:38PM +0200, Martin Husemann a écrit :
> On Wed, Jun 28, 2023 at 05:59:10PM +0200, tlaronde%polynum.com@localhost wrote:
> > "\ddd", where ddd is a one, two, or three-digit octal number, shall be
> > written as a byte with the numeric value specified by the octal number."
> > 
> > ? Because I parse it as: an octal escape sequence can be \d, or \dd or
> > \ddd; and the result is a byte value.
> 
> Exactly. But for the parser the "byte value" is irrelevant, that part is
> semantics (and checked later). Syntactically you write an octal number
> with upto three digits.
> 
> If you want to write a two digit octal number you can not continue with
> another ocatal digit. In C you could do "...\77" "7" and have it concat
> the literals. In config files (without concatenation) you need some
> other trick.

I beg to differ: since due to this very unfortunate "variable length"
feature, your scanner has to read char by char, it can reject the third
digit since it would yield an out of range byte value.

And it shall be emphasized that POSIX says strictly nothing about this:
what is the correct interpretation: swallow up to three digits in the
0-7 range, not evaluating the value that may be out of range ? Or
swallow up to three digits in the 0-7 range as long a the value is in
the byte range? The latter seems more consistent than the former, but
neither is in the spec.

And the whole "variable length" feature should never have been
"standardized" specially for user level utilities: it is almost
impossible to verify a script because it is impossible to parse
correctly such a string from a cursorily look. It is a highway to
 security hell.
-- 
        Thierry Laronde <tlaronde +AT+ polynum +dot+ com>
                     http://www.kergis.com/
                    http://kertex.kergis.com/
Key fingerprint = 0FF7 E906 FBAF FE95 FD89  250D 52B1 AE95 6006 F40C