fix(themes): fix potential command injection in pygmalion
, pygmalion-virtualenv
and refined
The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information which results in a double evaluation of this information, so a malicious git repository could trigger a command injection if the user cloned and entered the repository. A similar method could be used in the refined theme. All themes have been patched against this vulnerability.
This commit is contained in:
parent
72928432f1
commit
b3ba9978cc
3 changed files with 10 additions and 8 deletions
|
@ -35,19 +35,20 @@ prompt_setup_pygmalion(){
|
||||||
}
|
}
|
||||||
|
|
||||||
prompt_pygmalion_precmd(){
|
prompt_pygmalion_precmd(){
|
||||||
setopt localoptions extendedglob
|
setopt localoptions nopromptsubst extendedglob
|
||||||
|
|
||||||
local gitinfo=$(git_prompt_info)
|
local gitinfo=$(git_prompt_info)
|
||||||
local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
|
local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
|
||||||
local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")"
|
local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")"
|
||||||
local prompt_length=${#exp_nocolor}
|
local prompt_length=${#exp_nocolor}
|
||||||
|
|
||||||
|
# add new line on prompt longer than 40 characters
|
||||||
local nl=""
|
local nl=""
|
||||||
|
|
||||||
if [[ $prompt_length -gt 40 ]]; then
|
if [[ $prompt_length -gt 40 ]]; then
|
||||||
nl=$'\n%{\r%}';
|
nl=$'\n%{\r%}'
|
||||||
fi
|
fi
|
||||||
PROMPT="$base_prompt$gitinfo$nl$post_prompt"
|
|
||||||
|
PROMPT="${base_prompt}\$(git_prompt_info)${nl}${post_prompt}"
|
||||||
}
|
}
|
||||||
|
|
||||||
prompt_setup_pygmalion
|
prompt_setup_pygmalion
|
||||||
|
|
|
@ -19,14 +19,14 @@ prompt_setup_pygmalion(){
|
||||||
}
|
}
|
||||||
|
|
||||||
prompt_pygmalion_precmd(){
|
prompt_pygmalion_precmd(){
|
||||||
setopt localoptions extendedglob
|
setopt localoptions nopromptsubst extendedglob
|
||||||
|
|
||||||
local gitinfo=$(git_prompt_info)
|
local gitinfo=$(git_prompt_info)
|
||||||
local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
|
local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
|
||||||
local exp_nocolor="$(print -P \"$base_prompt_nocolor$gitinfo_nocolor$post_prompt_nocolor\")"
|
local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")"
|
||||||
local prompt_length=${#exp_nocolor}
|
local prompt_length=${#exp_nocolor}
|
||||||
|
|
||||||
PROMPT="${base_prompt}${gitinfo}${post_prompt}"
|
PROMPT="${base_prompt}\$(git_prompt_info)${post_prompt}"
|
||||||
}
|
}
|
||||||
|
|
||||||
prompt_setup_pygmalion
|
prompt_setup_pygmalion
|
||||||
|
|
|
@ -70,6 +70,7 @@ preexec() {
|
||||||
# Output additional information about paths, repos and exec time
|
# Output additional information about paths, repos and exec time
|
||||||
#
|
#
|
||||||
precmd() {
|
precmd() {
|
||||||
|
setopt localoptions nopromptsubst
|
||||||
vcs_info # Get version control info before we start outputting stuff
|
vcs_info # Get version control info before we start outputting stuff
|
||||||
print -P "\n$(repo_information) %F{yellow}$(cmd_exec_time)%f"
|
print -P "\n$(repo_information) %F{yellow}$(cmd_exec_time)%f"
|
||||||
unset cmd_timestamp #Reset cmd exec time.
|
unset cmd_timestamp #Reset cmd exec time.
|
||||||
|
|
Loading…
Reference in a new issue