mirror of
https://github.com/ohmyzsh/ohmyzsh.git
synced 2024-12-19 02:41:57 +00:00
fix(lib): fix omz_urldecode
unsafe eval bug
The `omz_urldecode` function uses an eval to decode the input which can be exploited to inject commands. This is used only in the svn plugin and it requires a complex process to exploit, so it is highly unlikely to have been used by an attacker.
This commit is contained in:
parent
1448d234d6
commit
6cb41b70a6
1 changed files with 2 additions and 3 deletions
|
@ -237,12 +237,11 @@ function omz_urldecode {
|
||||||
tmp=${tmp:gs/\\/\\\\/}
|
tmp=${tmp:gs/\\/\\\\/}
|
||||||
# Handle %-escapes by turning them into `\xXX` printf escapes
|
# Handle %-escapes by turning them into `\xXX` printf escapes
|
||||||
tmp=${tmp:gs/%/\\x/}
|
tmp=${tmp:gs/%/\\x/}
|
||||||
local decoded
|
local decoded="$(printf -- "$tmp")"
|
||||||
eval "decoded=\$'$tmp'"
|
|
||||||
|
|
||||||
# Now we have a UTF-8 encoded string in the variable. We need to re-encode
|
# Now we have a UTF-8 encoded string in the variable. We need to re-encode
|
||||||
# it if caller is in a non-UTF-8 locale.
|
# it if caller is in a non-UTF-8 locale.
|
||||||
local safe_encodings
|
local -a safe_encodings
|
||||||
safe_encodings=(UTF-8 utf8 US-ASCII)
|
safe_encodings=(UTF-8 utf8 US-ASCII)
|
||||||
if [[ -z ${safe_encodings[(r)$caller_encoding]} ]]; then
|
if [[ -z ${safe_encodings[(r)$caller_encoding]} ]]; then
|
||||||
decoded=$(echo -E "$decoded" | iconv -f UTF-8 -t $caller_encoding)
|
decoded=$(echo -E "$decoded" | iconv -f UTF-8 -t $caller_encoding)
|
||||||
|
|
Loading…
Reference in a new issue