diff options
| author | Marc Cornellà <hello@mcornella.com> | 2021-11-08 17:46:14 +0100 |
|---|---|---|
| committer | Marc Cornellà <hello@mcornella.com> | 2021-11-11 22:44:18 +0100 |
| commit | 6cb41b70a6d04301fd50cd5862ecd705ba226c0e (patch) | |
| tree | 519d2054947782c51b6d9226791fa3c54f082f4d /lib | |
| parent | 1448d234d6d9c25f64a48b16379b34db28a36898 (diff) | |
| download | zsh-6cb41b70a6d04301fd50cd5862ecd705ba226c0e.tar.gz zsh-6cb41b70a6d04301fd50cd5862ecd705ba226c0e.tar.bz2 zsh-6cb41b70a6d04301fd50cd5862ecd705ba226c0e.zip | |
fix(lib): fix `omz_urldecode` unsafe eval bug
The `omz_urldecode` function uses an eval to decode the input which can be
exploited to inject commands. This is used only in the svn plugin and it
requires a complex process to exploit, so it is highly unlikely to have been
used by an attacker.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/functions.zsh | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/lib/functions.zsh b/lib/functions.zsh index fc53611b8..61f4dd49e 100644 --- a/lib/functions.zsh +++ b/lib/functions.zsh @@ -237,12 +237,11 @@ function omz_urldecode { tmp=${tmp:gs/\\/\\\\/} # Handle %-escapes by turning them into `\xXX` printf escapes tmp=${tmp:gs/%/\\x/} - local decoded - eval "decoded=\$'$tmp'" + local decoded="$(printf -- "$tmp")" # Now we have a UTF-8 encoded string in the variable. We need to re-encode # it if caller is in a non-UTF-8 locale. - local safe_encodings + local -a safe_encodings safe_encodings=(UTF-8 utf8 US-ASCII) if [[ -z ${safe_encodings[(r)$caller_encoding]} ]]; then decoded=$(echo -E "$decoded" | iconv -f UTF-8 -t $caller_encoding) |