<feed xmlns='http://www.w3.org/2005/Atom'>
<title>zsh.git/plugins/hitokoto, branch master</title>
<subtitle>Unnamed repository; edit this file 'description' to name the repository.</subtitle>
<id>http://cnjoe.info/git/zsh.git/atom/plugins/hitokoto?h=master</id>
<link rel='self' href='http://cnjoe.info/git/zsh.git/atom/plugins/hitokoto?h=master'/>
<link rel='alternate' type='text/html' href='http://cnjoe.info/git/zsh.git/'/>
<updated>2021-11-11T21:45:24Z</updated>
<entry>
<title>fix(plugins): fix potential command injection in `rand-quote` and `hitokoto`</title>
<updated>2021-11-11T21:45:24Z</updated>
<author>
<name>Marc Cornellà</name>
<email>hello@mcornella.com</email>
</author>
<published>2021-11-09T08:31:09Z</published>
<link rel='alternate' type='text/html' href='http://cnjoe.info/git/zsh.git/commit/?id=72928432f1ddaa244e02067dd7fc14948a4a5ce4'/>
<id>urn:sha1:72928432f1ddaa244e02067dd7fc14948a4a5ce4</id>
<content type='text'>
The `rand-quote` plugin uses quotationspage.com and prints part of its content to the
shell without sanitization, which could trigger command injection. There is no evidence
that this has been exploited, but this commit removes all possibility for exploit.

Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the
shell, also without sanitization. Furthermore, there is also no evidence that this has
been exploited, but with this change it is now impossible.
</content>
</entry>
<entry>
<title>-mAdd hitokoto plugin (#8422)</title>
<updated>2019-12-29T05:04:24Z</updated>
<author>
<name>sinrimin</name>
<email>ashen@moesrc.com</email>
</author>
<published>2019-12-29T05:04:24Z</published>
<link rel='alternate' type='text/html' href='http://cnjoe.info/git/zsh.git/commit/?id=d9e64344aa151f9b8e13a4f8054509a5d78bb718'/>
<id>urn:sha1:d9e64344aa151f9b8e13a4f8054509a5d78bb718</id>
<content type='text'>
</content>
</entry>
</feed>
