From a263cdac9c15de4003d3289a53cad1d19c8cfb3f Mon Sep 17 00:00:00 2001
From: Marc Cornellà <hello@mcornella.com>
Date: Tue, 9 Nov 2021 09:08:18 +0100
Subject: fix(lib): fix potential command injection in `title` and `spectrum`
 functions

The `title` function unsafely prints its input without sanitization, which if used
with custom user code that calls it, it could trigger command injection.

The `spectrum_ls` and `spectrum_bls` could similarly be exploited if a variable is
changed in the user's shell environment with a carefully crafted value. This is
highly unlikely to occur (and if possible, other methods would be used instead),
but with this change the exploit of these two functions is now impossible.
---
 lib/termsupport.zsh | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

(limited to 'lib/termsupport.zsh')

diff --git a/lib/termsupport.zsh b/lib/termsupport.zsh
index ef0d78895..49f64400b 100644
--- a/lib/termsupport.zsh
+++ b/lib/termsupport.zsh
@@ -7,8 +7,7 @@
 # (In screen, only short_tab_title is used)
 # Limited support for Apple Terminal (Terminal can't set window and tab separately)
 function title {
-  emulate -L zsh
-  setopt prompt_subst
+  setopt localoptions nopromptsubst
 
   # Don't set the title if inside emacs, unless using vterm
   [[ -n "$INSIDE_EMACS" && "$INSIDE_EMACS" != vterm ]] && return
@@ -48,13 +47,13 @@ fi
 
 # Runs before showing the prompt
 function omz_termsupport_precmd {
-  [[ "${DISABLE_AUTO_TITLE:-}" == true ]] && return
-  title $ZSH_THEME_TERM_TAB_TITLE_IDLE $ZSH_THEME_TERM_TITLE_IDLE
+  [[ "${DISABLE_AUTO_TITLE:-}" != true ]] || return
+  title "$ZSH_THEME_TERM_TAB_TITLE_IDLE" "$ZSH_THEME_TERM_TITLE_IDLE"
 }
 
 # Runs before executing the command
 function omz_termsupport_preexec {
-  [[ "${DISABLE_AUTO_TITLE:-}" == true ]] && return
+  [[ "${DISABLE_AUTO_TITLE:-}" != true ]] || return
 
   emulate -L zsh
   setopt extended_glob
@@ -97,10 +96,10 @@ function omz_termsupport_preexec {
   fi
 
   # cmd name only, or if this is sudo or ssh, the next cmd
-  local CMD=${1[(wr)^(*=*|sudo|ssh|mosh|rake|-*)]:gs/%/%%}
+  local CMD="${1[(wr)^(*=*|sudo|ssh|mosh|rake|-*)]:gs/%/%%}"
   local LINE="${2:gs/%/%%}"
 
-  title '$CMD' '%100>...>$LINE%<<'
+  title "$CMD" "%100>...>${LINE}%<<"
 }
 
 autoload -Uz add-zsh-hook
-- 
cgit v1.2.3-70-g09d2


From 0314604384529fb535825bf1d93c6fdb3c5ccbbe Mon Sep 17 00:00:00 2001
From: Paul Scott <paul.scotto@gmail.com>
Date: Thu, 25 Nov 2021 22:55:21 +0000
Subject: fix(lib): don't error if `INSIDE_EMACS` is not defined (#10443)

---
 lib/termsupport.zsh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/termsupport.zsh')

diff --git a/lib/termsupport.zsh b/lib/termsupport.zsh
index 49f64400b..4035d10a1 100644
--- a/lib/termsupport.zsh
+++ b/lib/termsupport.zsh
@@ -10,7 +10,7 @@ function title {
   setopt localoptions nopromptsubst
 
   # Don't set the title if inside emacs, unless using vterm
-  [[ -n "$INSIDE_EMACS" && "$INSIDE_EMACS" != vterm ]] && return
+  [[ -n "${INSIDE_EMACS:-}" && "$INSIDE_EMACS" != vterm ]] && return
 
   # if $2 is unset use $1 as default
   # if it is set and empty, leave it as is
-- 
cgit v1.2.3-70-g09d2