This lib function applies a patch to the VCS_INFO_formats function
in zsh versions from v5.0.3 until v5.8, which don't quote % chars
in some arguments received. Normally that just means that some
% characters in these strings (branch names, directories, etc.)
will be incorrectly parsed as formatting sequences.
With CVE-2021-45444, however, this means that one of these strings
from a malicious source (e.g. a malicious git repository) can
trigger command injection and run arbitrary code in the user's
machine when visiting such git repository.
Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups
still need a workaround such as this one to patch the vulnerability.
[1] c3ea1e5d52
master
Marc Cornellà
4 years ago
parent
02b52a03a5
commit
ef3f7c43a9
1 changed files with 50 additions and 0 deletions
@ -0,0 +1,50 @@ |
||||
# Impacted versions go from v5.0.3 to v5.8 (v5.8.1 is the first patched version) |
||||
autoload -Uz is-at-least |
||||
if is-at-least 5.8.1 || ! is-at-least 5.0.3; then |
||||
return |
||||
fi |
||||
|
||||
# Quote necessary $hook_com[<field>] items just before they are used |
||||
# in the line "VCS_INFO_hook 'post-backend'" of the VCS_INFO_formats |
||||
# function, where <field> is: |
||||
# |
||||
# base: the full path of the repository's root directory. |
||||
# base-name: the name of the repository's root directory. |
||||
# branch: the name of the currently checked out branch. |
||||
# misc: a string that may contain anything the vcs_info backend wants. |
||||
# revision: an identifier of the currently checked out revision. |
||||
# subdir: the path of the current directory relative to the |
||||
# repository's root directory. |
||||
# |
||||
# This patch %-quotes these fields previous to their use in vcs_info hooks and |
||||
# the zformat call and, eventually, when they get expanded in the prompt. |
||||
# It's important to quote these here, and not later after hooks have modified the |
||||
# fields, because then we could be quoting % characters from valid prompt sequences, |
||||
# like %F{color}, %B, etc. |
||||
# |
||||
# 32 │ hook_com[subdir]="$(VCS_INFO_reposub ${hook_com[base]})" |
||||
# 33 │ hook_com[subdir_orig]="${hook_com[subdir]}" |
||||
# 34 │ |
||||
# 35 + │ for tmp in base base-name branch misc revision subdir; do |
||||
# 36 + │ hook_com[$tmp]="${hook_com[$tmp]//\%/%%}" |
||||
# 37 + │ done |
||||
# 38 + │ |
||||
# 39 │ VCS_INFO_hook 'post-backend' |
||||
# |
||||
# This is especially important so that no command substitution is performed |
||||
# due to malicious input as a consequence of CVE-2021-45444, which affects |
||||
# zsh versions from 5.0.3 to 5.8. |
||||
# |
||||
autoload -Uz +X regexp-replace VCS_INFO_formats |
||||
|
||||
# We use $tmp here because it's already a local variable in VCS_INFO_formats |
||||
typeset PATCH='for tmp (base base-name branch misc revision subdir) hook_com[$tmp]="${hook_com[$tmp]//\%/%%}"' |
||||
# Unique string to avoid reapplying the patch if this code gets called twice |
||||
typeset PATCH_ID=vcs_info-patch-9b9840f2-91e5-4471-af84-9e9a0dc68c1b |
||||
# Only patch the VCS_INFO_formats function if not already patched |
||||
if [[ "$functions[VCS_INFO_formats]" != *$PATCH_ID* ]]; then |
||||
regexp-replace 'functions[VCS_INFO_formats]' \ |
||||
"VCS_INFO_hook 'post-backend'" \ |
||||
': ${PATCH_ID}; ${PATCH}; ${MATCH}' |
||||
fi |
||||
unset PATCH PATCH_ID |
||||
Loading…
Reference in new issue