diff options
| author | Marc Cornellà <hello@mcornella.com> | 2021-11-09 09:54:21 +0100 |
|---|---|---|
| committer | Marc Cornellà <hello@mcornella.com> | 2021-11-11 22:45:40 +0100 |
| commit | b3ba9978cc42a5031c7b68e3cf917ec2e64643bc (patch) | |
| tree | 2f5694f3958a058519e25423f50a3b45d1ff1ed8 /themes/pygmalion.zsh-theme | |
| parent | 72928432f1ddaa244e02067dd7fc14948a4a5ce4 (diff) | |
| download | zsh-b3ba9978cc42a5031c7b68e3cf917ec2e64643bc.tar.gz zsh-b3ba9978cc42a5031c7b68e3cf917ec2e64643bc.tar.bz2 zsh-b3ba9978cc42a5031c7b68e3cf917ec2e64643bc.zip | |
fix(themes): fix potential command injection in `pygmalion`, `pygmalion-virtualenv` and `refined`
The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information
which results in a double evaluation of this information, so a malicious git repository
could trigger a command injection if the user cloned and entered the repository.
A similar method could be used in the refined theme. All themes have been patched against this
vulnerability.
Diffstat (limited to 'themes/pygmalion.zsh-theme')
| -rw-r--r-- | themes/pygmalion.zsh-theme | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/themes/pygmalion.zsh-theme b/themes/pygmalion.zsh-theme index b13adfd5f..be9ca3889 100644 --- a/themes/pygmalion.zsh-theme +++ b/themes/pygmalion.zsh-theme @@ -19,14 +19,14 @@ prompt_setup_pygmalion(){ } prompt_pygmalion_precmd(){ - setopt localoptions extendedglob + setopt localoptions nopromptsubst extendedglob local gitinfo=$(git_prompt_info) local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}} - local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")" + local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")" local prompt_length=${#exp_nocolor} - PROMPT="${base_prompt}${gitinfo}${post_prompt}" + PROMPT="${base_prompt}\$(git_prompt_info)${post_prompt}" } prompt_setup_pygmalion |