github/ohmyzsh
1
0
Fork 0
mirror of https://github.com/ohmyzsh/ohmyzsh.git synced 2025-11-04 21:31:19 +08:00
Code Issues Projects Releases Wiki Activity

fix(themes): fix potential command injection in pygmalion, pygmalion-virtualenv and refined

Browse Source 
The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information
which results in a double evaluation of this information, so a malicious git repository
could trigger a command injection if the user cloned and entered the repository.

A similar method could be used in the refined theme. All themes have been patched against this
vulnerability.
This commit is contained in:
Marc Cornellà 2021-11-09 09:54:21 +01:00
parent 72928432f1
commit b3ba9978cc
No known key found for this signature in database
GPG Key ID: 0314585E776A9C1B
3 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
themes/pygmalion-virtualenv.zsh-theme
View File

@ -35,19 +35,20 @@ prompt_setup_pygmalion(){
}
prompt_pygmalion_precmd(){
setopt localoptions extendedglob
setopt localoptions nopromptsubst extendedglob
local gitinfo=$(git_prompt_info)
local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")"
local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")"
local prompt_length=${#exp_nocolor}
# add new line on prompt longer than 40 characters
local nl=""
if [[ $prompt_length -gt 40 ]]; then
nl=$'\n%{\r%}';
nl=$'\n%{\r%}'
fi
PROMPT="$base_prompt$gitinfo$nl$post_prompt"
PROMPT="${base_prompt}\$(git_prompt_info)${nl}${post_prompt}"
}
prompt_setup_pygmalion

6
themes/pygmalion.zsh-theme
View File

@ -19,14 +19,14 @@ prompt_setup_pygmalion(){
}
prompt_pygmalion_precmd(){
setopt localoptions extendedglob
setopt localoptions nopromptsubst extendedglob
local gitinfo=$(git_prompt_info)
local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")"
local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")"
local prompt_length=${#exp_nocolor}
PROMPT="${base_prompt}${gitinfo}${post_prompt}"
PROMPT="${base_prompt}\$(git_prompt_info)${post_prompt}"
}
prompt_setup_pygmalion

1
themes/refined.zsh-theme
View File

@ -70,6 +70,7 @@ preexec() {
# Output additional information about paths, repos and exec time
#
precmd() {
setopt localoptions nopromptsubst
vcs_info # Get version control info before we start outputting stuff
print -P "\n$(repo_information) %F{yellow}$(cmd_exec_time)%f"
unset cmd_timestamp #Reset cmd exec time.