From a263cdac9c15de4003d3289a53cad1d19c8cfb3f Mon Sep 17 00:00:00 2001 From: Marc Cornellà Date: Tue, 9 Nov 2021 09:08:18 +0100 Subject: fix(lib): fix potential command injection in `title` and `spectrum` functions The `title` function unsafely prints its input without sanitization, which if used with custom user code that calls it, it could trigger command injection. The `spectrum_ls` and `spectrum_bls` could similarly be exploited if a variable is changed in the user's shell environment with a carefully crafted value. This is highly unlikely to occur (and if possible, other methods would be used instead), but with this change the exploit of these two functions is now impossible. --- lib/spectrum.zsh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'lib/spectrum.zsh') diff --git a/lib/spectrum.zsh b/lib/spectrum.zsh index d5c22a8c5..97f5c360a 100644 --- a/lib/spectrum.zsh +++ b/lib/spectrum.zsh @@ -20,16 +20,18 @@ done # Show all 256 colors with color number function spectrum_ls() { + setopt localoptions nopromptsubst local ZSH_SPECTRUM_TEXT=${ZSH_SPECTRUM_TEXT:-Arma virumque cano Troiae qui primus ab oris} for code in {000..255}; do - print -P -- "$code: $FG[$code]$ZSH_SPECTRUM_TEXT%{$reset_color%}" + print -P -- "$code: ${FG[$code]}${ZSH_SPECTRUM_TEXT}%{$reset_color%}" done } # Show all 256 colors where the background is set to specific color function spectrum_bls() { + setopt localoptions nopromptsubst local ZSH_SPECTRUM_TEXT=${ZSH_SPECTRUM_TEXT:-Arma virumque cano Troiae qui primus ab oris} for code in {000..255}; do - print -P -- "$code: $BG[$code]$ZSH_SPECTRUM_TEXT%{$reset_color%}" + print -P -- "$code: ${BG[$code]}${ZSH_SPECTRUM_TEXT}%{$reset_color%}" done } -- cgit v1.2.3-70-g09d2