wilderjds
/
oh-my-zsh
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(themes): fix potential command injection in `pygmalion`, `pygmalion-virtualenv` and `refined`

Browse Source 
The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information
which results in a double evaluation of this information, so a malicious git repository
could trigger a command injection if the user cloned and entered the repository.

A similar method could be used in the refined theme. All themes have been patched against this
vulnerability.
master
Marc Cornellà 5 years ago
parent 72928432f1
commit b3ba9978cc
No known key found for this signature in database
GPG Key ID: 314585E776A9C1B
3 changed files with 10 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      themes/pygmalion-virtualenv.zsh-theme
  2. 6
      themes/pygmalion.zsh-theme
  3. 1
      themes/refined.zsh-theme

11
themes/pygmalion-virtualenv.zsh-theme
Unescape View File

@ -35,19 +35,20 @@ prompt_setup_pygmalion(){
} }
prompt_pygmalion_precmd(){ prompt_pygmalion_precmd(){
setopt localoptions extendedglob setopt localoptions nopromptsubst extendedglob
local gitinfo=$(git_prompt_info) local gitinfo=$(git_prompt_info)
local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}} local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")" local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")"
local prompt_length=${#exp_nocolor} local prompt_length=${#exp_nocolor}
# add new line on prompt longer than 40 characters
local nl="" local nl=""
if [[ $prompt_length -gt 40 ]]; then if [[ $prompt_length -gt 40 ]]; then
nl=$'\n%{\r%}'; nl=$'\n%{\r%}'
fi fi
PROMPT="$base_prompt$gitinfo$nl$post_prompt"
PROMPT="${base_prompt}\$(git_prompt_info)${nl}${post_prompt}"
} }
prompt_setup_pygmalion prompt_setup_pygmalion

6
themes/pygmalion.zsh-theme
Unescape View File

@ -19,14 +19,14 @@ prompt_setup_pygmalion(){
} }
prompt_pygmalion_precmd(){ prompt_pygmalion_precmd(){
setopt localoptions extendedglob setopt localoptions nopromptsubst extendedglob
local gitinfo=$(git_prompt_info) local gitinfo=$(git_prompt_info)
local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}} local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")" local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")"
local prompt_length=${#exp_nocolor} local prompt_length=${#exp_nocolor}
PROMPT="${base_prompt}${gitinfo}${post_prompt}" PROMPT="${base_prompt}\$(git_prompt_info)${post_prompt}"
} }
prompt_setup_pygmalion prompt_setup_pygmalion

1
themes/refined.zsh-theme
Unescape View File

@ -70,6 +70,7 @@ preexec() {
# Output additional information about paths, repos and exec time # Output additional information about paths, repos and exec time
# #
precmd() { precmd() {
setopt localoptions nopromptsubst
vcs_info # Get version control info before we start outputting stuff vcs_info # Get version control info before we start outputting stuff
print -P "\n$(repo_information) %F{yellow}$(cmd_exec_time)%f" print -P "\n$(repo_information) %F{yellow}$(cmd_exec_time)%f"
unset cmd_timestamp #Reset cmd exec time. unset cmd_timestamp #Reset cmd exec time.

Write Preview
Loading…
Cancel
Save