- Dec 07, 2021
-
-
Marc Cornellà authored
-
- Dec 02, 2021
-
-
Josh Soref authored
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
-
- Dec 01, 2021
-
-
whoami authored
Co-authored-by: Marc Cornellà <hello@mcornella.com>
-
Nick Aldwin authored
-
Marc Cornellà authored
This reverts commit aef393bd.
-
Marc Cornellà authored
-
Josh Soref authored
Co-authored-by: Josh Soref <jsoref@users.noreply.github.com>
-
- Nov 30, 2021
-
-
Marc Cornellà authored
-
Marc Cornellà authored
-
- Nov 27, 2021
-
-
Nicholas Hawkes authored
-
Markus Hofbauer authored
-
Adam Cwyk authored
Co-authored-by: Adam Cwyk <git@adamcwyk.dev>
-
- Nov 25, 2021
-
-
Kyle authored
-
Paul Scott authored
-
Marc Cornellà authored
Fixes #10448
-
- Nov 17, 2021
-
-
Marc Cornellà authored
-
Marc Cornellà authored
When calling `bundle install` with `--jobs=<n>`, bundle persists this argument in `.bundle/config`. If we run `BUNDLE_JOBS=<n> bundle install` instead, this is not persisted. Fixes #10425
-
Aurora authored
Co-authored-by: Marc Cornellà <hello@mcornella.com>
-
Marc Cornellà authored
BREAKING CHANGE: the plugin now checks for the `docker-compose` command instead of trying whether `docker compose` is a valid command. This means that if the old command is still installed it will be used instead. To use `docker compose`, uninstall any old copies of `docker-compose`. Fixes #10409
-
Marc Cornellà authored
Fixes #10428
-
Brian Tannous authored
-
Marc Cornellà authored
Closes #9659 Co-authored-by: Jeff Warner <jeff@develops.software>
-
- Nov 16, 2021
-
-
Marc Cornellà authored
Fixes #10422
-
Marc Cornellà authored
-
- Nov 11, 2021
-
-
Marc Cornellà authored
The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information which results in a double evaluation of this information, so a malicious git repository could trigger a command injection if the user cloned and entered the repository. A similar method could be used in the refined theme. All themes have been patched against this vulnerability.
-
Marc Cornellà authored
The `rand-quote` plugin uses quotationspage.com and prints part of its content to the shell without sanitization, which could trigger command injection. There is no evidence that this has been exploited, but this commit removes all possibility for exploit. Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the shell, also without sanitization. Furthermore, there is also no evidence that this has been exploited, but with this change it is now impossible.
-
Marc Cornellà authored
The `title` function unsafely prints its input without sanitization, which if used with custom user code that calls it, it could trigger command injection. The `spectrum_ls` and `spectrum_bls` could similarly be exploited if a variable is changed in the user's shell environment with a carefully crafted value. This is highly unlikely to occur (and if possible, other methods would be used instead), but with this change the exploit of these two functions is now impossible.
-
Marc Cornellà authored
The plugin unsafely processes directory paths in pop_past and pop_future. This commit fixes that.
-
Marc Cornellà authored
The `omz_urldecode` function uses an eval to decode the input which can be exploited to inject commands. This is used only in the svn plugin and it requires a complex process to exploit, so it is highly unlikely to have been used by an attacker.
-
- Nov 10, 2021
-
-
Kirill Molchanov authored
-
Marc Cornellà authored
-
Marc Cornellà authored
Fixes #10404
-
- Nov 09, 2021
-
-
Marc Cornellà authored
-
Marc Cornellà authored
-
Marc Cornellà authored
-
Marc Cornellà authored
-
Janusz Mordarski authored
-
Kevin Burke authored
Co-authored-by: Marc Cornellà <hello@mcornella.com>
-
- Nov 08, 2021
-
-
Shahin Sorkh authored
-