1
0
mirror of https://github.com/ohmyzsh/ohmyzsh.git synced 2024-11-27 02:33:39 +08:00
Commit Graph

3 Commits

Author SHA1 Message Date
Marc Cornellà
b00b59364a
fix(vcs_info): don't patch VCS_INFO_formats if not found 2022-02-21 20:30:06 +01:00
Marc Cornellà
07b829c894
fix(vcs_info): quote % in relevant fields on all current Zsh releases 2022-02-21 18:34:28 +01:00
Marc Cornellà
ef3f7c43a9
fix: apply workaround patch for vcs_info (CVE-2021-45444)
This lib function applies a patch to the VCS_INFO_formats function
in zsh versions from v5.0.3 until v5.8, which don't quote % chars
in some arguments received. Normally that just means that some
% characters in these strings (branch names, directories, etc.)
will be incorrectly parsed as formatting sequences.

With CVE-2021-45444, however, this means that one of these strings
from a malicious source (e.g. a malicious git repository) can
trigger command injection and run arbitrary code in the user's
machine when visiting such git repository.

Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups
still need a workaround such as this one to patch the vulnerability.

[1] c3ea1e5d52
2022-02-13 19:07:12 +01:00