From b3ba9978cc42a5031c7b68e3cf917ec2e64643bc Mon Sep 17 00:00:00 2001
From: Marc Cornellà <hello@mcornella.com>
Date: Tue, 9 Nov 2021 09:54:21 +0100
Subject: fix(themes): fix potential command injection in `pygmalion`,
 `pygmalion-virtualenv` and `refined`

The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information
which results in a double evaluation of this information, so a malicious git repository
could trigger a command injection if the user cloned and entered the repository.

A similar method could be used in the refined theme. All themes have been patched against this
vulnerability.
---
 themes/pygmalion.zsh-theme | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'themes/pygmalion.zsh-theme')

diff --git a/themes/pygmalion.zsh-theme b/themes/pygmalion.zsh-theme
index b13adfd5f..be9ca3889 100644
--- a/themes/pygmalion.zsh-theme
+++ b/themes/pygmalion.zsh-theme
@@ -19,14 +19,14 @@ prompt_setup_pygmalion(){
 }
 
 prompt_pygmalion_precmd(){
-  setopt localoptions extendedglob
+  setopt localoptions nopromptsubst extendedglob
 
   local gitinfo=$(git_prompt_info)
   local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
-  local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")"
+  local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")"
   local prompt_length=${#exp_nocolor}
 
-  PROMPT="${base_prompt}${gitinfo}${post_prompt}"
+  PROMPT="${base_prompt}\$(git_prompt_info)${post_prompt}"
 }
 
 prompt_setup_pygmalion
-- 
cgit v1.2.3-70-g09d2