mirror of
https://github.com/ohmyzsh/ohmyzsh.git
synced 2024-12-18 10:22:00 +00:00
72928432f1
The `rand-quote` plugin uses quotationspage.com and prints part of its content to the shell without sanitization, which could trigger command injection. There is no evidence that this has been exploited, but this commit removes all possibility for exploit. Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the shell, also without sanitization. Furthermore, there is also no evidence that this has been exploited, but with this change it is now impossible.
18 lines
489 B
Bash
18 lines
489 B
Bash
if ! (( $+commands[curl] )); then
|
|
echo "hitokoto plugin needs curl to work" >&2
|
|
return
|
|
fi
|
|
|
|
function hitokoto {
|
|
setopt localoptions nopromptsubst
|
|
|
|
# Get hitokoto data
|
|
local -a data
|
|
data=("${(ps:\n:)"$(command curl -s --connect-timeout 2 "https://v1.hitokoto.cn" | command jq -j '.hitokoto+"\n"+.from')"}")
|
|
|
|
# Exit if could not fetch hitokoto
|
|
[[ -n "$data" ]] || return 0
|
|
|
|
local quote="${data[1]}" author="${data[2]}"
|
|
print -P "%F{3}${author}%f: “%F{5}${quote}%f”"
|
|
}
|