OpenBSD now enforcing no invalid NUL characters in shell scripts
by from OpenBSD Journal on (#6QZ6D)
Our favorite operating system is now changing the default shell (ksh) to enforce not allowing invalid NUL characters in input that will be parsed as parts of the script.
The commit message reads,
List: openbsd-cvsSubject: CVS: cvs.openbsd.org: srcFrom: Theo de Raadt <deraadt () cvs ! openbsd ! org>Date: 2024-09-23 21:18:33CVSROOT:/cvsModule name:srcChanges by:deraadt@cvs.openbsd.org2024/09/23 15:18:33Modified files:bin/ksh : shf.c Log message:If during parsing lines in the script, ksh finds a NUL byte on theline, it should abort ("syntax error: NUL byte unexpected"). Thereappears to be one piece of software which is misinterpreting guidanceof this, and trying to depend upon embedded NUL. During research,every shell we tested has one or more cases where a NUL byte in theinput or inside variable contents will create divergent behaviour fromother shells. (ie. gets converted to a space, is silently skipped, oraborts script parsing or later execution). All the shells are writtenin C, and majority of them use C strings for everything, which meansthey cannot embed a NUL, so this is not surprising. It is quiteunbelievable there are people trying to rewrite history on a lark, andexpecting the world to follow alone.