Release 3.6.4

This test wants to generate a U+FDD2 to see it is not mishandled.

To do so, we tried to use sh, which on my system is bash and can do
`$'\ufdd2'`.

Unfortunately on other systems it might be dash, which won't do that.

Since I don't know of a good no-dependency portable way to generate
this (I dimly remember python3 being a shim on some systems, so I do
not want to invoke it here), we'll just use our own printf.

Which is a worse test, we control both parts, but it'll do.

Fixes #10134

CHANGELOG.rst

@@ -1,4 +1,36 @@
-fish 3.6.1 (released March 25, 2022)
+fish 3.6.4 (released December 5, 2023)
+======================================
+
+This release contains a complete fix for the test suite failure in fish 3.6.2 and 3.6.3.
+
+--------------
+
+fish 3.6.3 (released December 4, 2023)
+======================================
+
+This release contains a fix for a test suite failure in fish 3.6.2.
+
+--------------
+
+fish 3.6.2 (released December 4, 2023)
+======================================
+
+This release of fish contains a security fix for CVE-2023-49284, a minor security problem identified
+in fish 3.6.1 and previous versions (thought to affect all released versions of fish).
+
+fish uses certain Unicode non-characters internally for marking wildcards and expansions. It
+incorrectly allowed these markers to be read on command substitution output, rather than
+transforming them into a safe internal representation.
+
+For example, ``echo \UFDD2HOME`` has the same output as ``echo $HOME``.
+
+While this may cause unexpected behavior with direct input, this may become a minor security problem
+if the output is being fed from an external program into a command substitution where this output
+may not be expected.
+
+--------------
+
+fish 3.6.1 (released March 25, 2023)
 ====================================
 
 This release of fish contains a number of fixes for problems identified in fish 3.6.1, as well as some enhancements.

src/common.cpp

@@ -335,9 +335,7 @@ static wcstring str2wcs_internal(const char *in, const size_t in_len) {
         } else {
             ret = std::mbrtowc(&wc, &in[in_pos], in_len - in_pos, &state);
             // Determine whether to encode this character with our crazy scheme.
-            if (wc >= ENCODE_DIRECT_BASE && wc < ENCODE_DIRECT_BASE + 256) {
-                use_encode_direct = true;
-            } else if (wc == INTERNAL_SEPARATOR) {
+            if (fish_reserved_codepoint(wc)) {
                 use_encode_direct = true;
             } else if (ret == static_cast<size_t>(-2)) {
                 // Incomplete sequence.
@@ -1313,6 +1311,9 @@ maybe_t<size_t> read_unquoted_escape(const wchar_t *input, wcstring *result, boo
     }
 
     if (result_char_or_none.has_value()) {
+        if (fish_reserved_codepoint(*result_char_or_none)) {
+            return none();
+        }
         result->push_back(*result_char_or_none);
     }
 

tests/checks/basic.fish

@@ -587,6 +587,14 @@ $fish -c 'echo \x'
 # CHECKERR: echo \x
 # CHECKERR:      ^^
 
+$fish -c 'echo \ufdd2"fart"'
+# CHECKERR: fish: Invalid token '\ufdd2"fart"'
+# CHECKERR: echo \ufdd2"fart"
+# CHECKERR: ^~~~~~~~~~~^
+
+echo (printf '\ufdd2foo') | string escape
+# CHECK: \Xef\Xb7\X92foo
+
 printf '%s\n' "#!/bin/sh" 'echo $0' > $tmpdir/argv0.sh
 chmod +x $tmpdir/argv0.sh
 cd $tmpdir