From e86c6f5e7fc9f024a427e2870ab70644b5454725 Mon Sep 17 00:00:00 2001
From: Kevin Burke <kevin@burke.dev>
Date: Tue, 9 Nov 2021 00:04:10 -0800
Subject: style: use `-n` flag in `head` and `tail` commands (#10391)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Marc Cornellà <hello@mcornella.com>
---
 lib/functions.zsh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'lib/functions.zsh')

diff --git a/lib/functions.zsh b/lib/functions.zsh
index 73b491a59..fc53611b8 100644
--- a/lib/functions.zsh
+++ b/lib/functions.zsh
@@ -1,7 +1,7 @@
 function zsh_stats() {
   fc -l 1 \
     | awk '{ CMD[$2]++; count++; } END { for (a in CMD) print CMD[a] " " CMD[a]*100/count "% " a }' \
-    | grep -v "./" | sort -nr | head -20 | column -c3 -s " " -t | nl
+    | grep -v "./" | sort -nr | head -n 20 | column -c3 -s " " -t | nl
 }
 
 function uninstall_oh_my_zsh() {
@@ -45,7 +45,7 @@ function takeurl() {
   data="$(mktemp)"
   curl -L "$1" > "$data"
   tar xf "$data"
-  thedir="$(tar tf "$data" | head -1)"
+  thedir="$(tar tf "$data" | head -n 1)"
   rm "$data"
   cd "$thedir"
 }
-- 
cgit v1.2.3-70-g09d2


From 6cb41b70a6d04301fd50cd5862ecd705ba226c0e Mon Sep 17 00:00:00 2001
From: Marc Cornellà <hello@mcornella.com>
Date: Mon, 8 Nov 2021 17:46:14 +0100
Subject: fix(lib): fix `omz_urldecode` unsafe eval bug

The `omz_urldecode` function uses an eval to decode the input which can be
exploited to inject commands. This is used only in the svn plugin and it
requires a complex process to exploit, so it is highly unlikely to have been
used by an attacker.
---
 lib/functions.zsh | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'lib/functions.zsh')

diff --git a/lib/functions.zsh b/lib/functions.zsh
index fc53611b8..61f4dd49e 100644
--- a/lib/functions.zsh
+++ b/lib/functions.zsh
@@ -237,12 +237,11 @@ function omz_urldecode {
   tmp=${tmp:gs/\\/\\\\/}
   # Handle %-escapes by turning them into `\xXX` printf escapes
   tmp=${tmp:gs/%/\\x/}
-  local decoded
-  eval "decoded=\$'$tmp'"
+  local decoded="$(printf -- "$tmp")"
 
   # Now we have a UTF-8 encoded string in the variable. We need to re-encode
   # it if caller is in a non-UTF-8 locale.
-  local safe_encodings
+  local -a safe_encodings
   safe_encodings=(UTF-8 utf8 US-ASCII)
   if [[ -z ${safe_encodings[(r)$caller_encoding]} ]]; then
     decoded=$(echo -E "$decoded" | iconv -f UTF-8 -t $caller_encoding)
-- 
cgit v1.2.3-70-g09d2