fix(lib): fix potential command injection in `title` and `spectrum` functions - zsh.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Marc Cornellà <hello@mcornella.com>	2021-11-09 09:08:18 +0100
committer	Marc Cornellà <hello@mcornella.com>	2021-11-11 22:45:11 +0100
commit	a263cdac9c15de4003d3289a53cad1d19c8cfb3f (patch)
tree	91e2ff514a1269676eb85fb2ee3ffb273377baf3 /plugins/rand-quote
parent	06fc5fb12900d7ee5821a5f20b47be2c4b894ac0 (diff)
download	zsh-a263cdac9c15de4003d3289a53cad1d19c8cfb3f.tar.gz zsh-a263cdac9c15de4003d3289a53cad1d19c8cfb3f.tar.bz2 zsh-a263cdac9c15de4003d3289a53cad1d19c8cfb3f.zip

fix(lib): fix potential command injection in `title` and `spectrum` functions

The `title` function unsafely prints its input without sanitization, which if used with custom user code that calls it, it could trigger command injection. The `spectrum_ls` and `spectrum_bls` could similarly be exploited if a variable is changed in the user's shell environment with a carefully crafted value. This is highly unlikely to occur (and if possible, other methods would be used instead), but with this change the exploit of these two functions is now impossible.

Diffstat (limited to 'plugins/rand-quote')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: