diff options
| author | Marc Cornellà <hello@mcornella.com> | 2021-11-09 09:54:21 +0100 |
|---|---|---|
| committer | Marc Cornellà <hello@mcornella.com> | 2021-11-11 22:45:40 +0100 |
| commit | b3ba9978cc42a5031c7b68e3cf917ec2e64643bc (patch) | |
| tree | 2f5694f3958a058519e25423f50a3b45d1ff1ed8 /themes | |
| parent | 72928432f1ddaa244e02067dd7fc14948a4a5ce4 (diff) | |
| download | zsh-b3ba9978cc42a5031c7b68e3cf917ec2e64643bc.tar.gz zsh-b3ba9978cc42a5031c7b68e3cf917ec2e64643bc.tar.bz2 zsh-b3ba9978cc42a5031c7b68e3cf917ec2e64643bc.zip | |
fix(themes): fix potential command injection in `pygmalion`, `pygmalion-virtualenv` and `refined`
The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information
which results in a double evaluation of this information, so a malicious git repository
could trigger a command injection if the user cloned and entered the repository.
A similar method could be used in the refined theme. All themes have been patched against this
vulnerability.
Diffstat (limited to 'themes')
| -rw-r--r-- | themes/pygmalion-virtualenv.zsh-theme | 11 | ||||
| -rw-r--r-- | themes/pygmalion.zsh-theme | 6 | ||||
| -rw-r--r-- | themes/refined.zsh-theme | 1 |
3 files changed, 10 insertions, 8 deletions
diff --git a/themes/pygmalion-virtualenv.zsh-theme b/themes/pygmalion-virtualenv.zsh-theme index 47b0b4fb1..c2ab7f4e6 100644 --- a/themes/pygmalion-virtualenv.zsh-theme +++ b/themes/pygmalion-virtualenv.zsh-theme @@ -35,19 +35,20 @@ prompt_setup_pygmalion(){ } prompt_pygmalion_precmd(){ - setopt localoptions extendedglob + setopt localoptions nopromptsubst extendedglob local gitinfo=$(git_prompt_info) local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}} - local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")" + local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")" local prompt_length=${#exp_nocolor} + # add new line on prompt longer than 40 characters local nl="" - if [[ $prompt_length -gt 40 ]]; then - nl=$'\n%{\r%}'; + nl=$'\n%{\r%}' fi - PROMPT="$base_prompt$gitinfo$nl$post_prompt" + + PROMPT="${base_prompt}\$(git_prompt_info)${nl}${post_prompt}" } prompt_setup_pygmalion diff --git a/themes/pygmalion.zsh-theme b/themes/pygmalion.zsh-theme index b13adfd5f..be9ca3889 100644 --- a/themes/pygmalion.zsh-theme +++ b/themes/pygmalion.zsh-theme @@ -19,14 +19,14 @@ prompt_setup_pygmalion(){ } prompt_pygmalion_precmd(){ - setopt localoptions extendedglob + setopt localoptions nopromptsubst extendedglob local gitinfo=$(git_prompt_info) local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}} - local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")" + local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")" local prompt_length=${#exp_nocolor} - PROMPT="${base_prompt}${gitinfo}${post_prompt}" + PROMPT="${base_prompt}\$(git_prompt_info)${post_prompt}" } prompt_setup_pygmalion diff --git a/themes/refined.zsh-theme b/themes/refined.zsh-theme index 5d39bd757..5e2de7a87 100644 --- a/themes/refined.zsh-theme +++ b/themes/refined.zsh-theme @@ -70,6 +70,7 @@ preexec() { # Output additional information about paths, repos and exec time # precmd() { + setopt localoptions nopromptsubst vcs_info # Get version control info before we start outputting stuff print -P "\n$(repo_information) %F{yellow}$(cmd_exec_time)%f" unset cmd_timestamp #Reset cmd exec time. |