1
0
Fork 0
mirror of https://github.com/ohmyzsh/ohmyzsh.git synced 2024-12-19 02:41:57 +00:00
ohmyzsh/lib
Marc Cornellà ef3f7c43a9
fix: apply workaround patch for vcs_info (CVE-2021-45444)
This lib function applies a patch to the VCS_INFO_formats function
in zsh versions from v5.0.3 until v5.8, which don't quote % chars
in some arguments received. Normally that just means that some
% characters in these strings (branch names, directories, etc.)
will be incorrectly parsed as formatting sequences.

With CVE-2021-45444, however, this means that one of these strings
from a malicious source (e.g. a malicious git repository) can
trigger command injection and run arbitrary code in the user's
machine when visiting such git repository.

Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups
still need a workaround such as this one to patch the vulnerability.

[1] c3ea1e5d52
2022-02-13 19:07:12 +01:00
..
bzr.zsh Modification to the frisk theme to work with the BZR lib 2013-11-06 20:10:59 -02:00
cli.zsh fix(cli): disable GPG signing in omz pr test to avoid key prompt (#10677) 2022-02-10 11:50:04 +01:00
clipboard.zsh fix(lib): fix clipboard copy on Termux 2021-08-17 17:38:31 +02:00
compfix.zsh compfix: fix check for empty string (#7674) 2019-03-21 20:35:00 +01:00
completion.zsh feat(lib): allow setting custom completion dots sequence (#9424) 2021-09-22 11:30:07 +02:00
correction.zsh feat(lib): don't correct su command arguments (#10214) 2021-09-29 18:07:25 +02:00
diagnostics.zsh style: use -n flag in head and tail commands (#10391) 2021-11-09 09:04:10 +01:00
directories.zsh style: use -n flag in head and tail commands (#10391) 2021-11-09 09:04:10 +01:00
functions.zsh fix(lib): fix omz_urldecode unsafe eval bug 2021-11-11 22:44:18 +01:00
git.zsh fix(lib): quote % in git_remote_status 2022-01-03 13:50:50 +01:00
grep.zsh lib: use grep-alias cache only if ZSH_CACHE_DIR is writable 2020-03-02 12:35:58 +01:00
history.zsh Revert "lib: remove share_history" 2020-11-09 12:00:15 +01:00
key-bindings.zsh lib: remove CTRL-Backspace key binding altogether 2020-08-06 08:55:29 +02:00
misc.zsh lib: speed up slow parts of the lib files; other small fixes 2020-04-05 21:37:45 +02:00
nvm.zsh fix(lib): quote % in nvm_prompt_info 2022-01-03 13:50:50 +01:00
prompt_info_functions.zsh fix: quote % characters in ruby prompt info functions 2021-12-13 17:43:32 +01:00
spectrum.zsh fix(lib): fix potential command injection in title and spectrum functions 2021-11-11 22:45:11 +01:00
termsupport.zsh fix(lib): don't error if INSIDE_EMACS is not defined (#10443) 2021-11-25 23:55:21 +01:00
theme-and-appearance.zsh fix(lib): fix diff --color argument check for BSD systems (#10269) 2021-10-10 19:15:24 +02:00
vcs_info.zsh fix: apply workaround patch for vcs_info (CVE-2021-45444) 2022-02-13 19:07:12 +01:00