1
0
Fork 0
mirror of https://github.com/ohmyzsh/ohmyzsh.git synced 2024-12-30 00:01:58 +00:00
ohmyzsh/themes/pygmalion.zsh-theme
Marc Cornellà b3ba9978cc
fix(themes): fix potential command injection in pygmalion, pygmalion-virtualenv and refined
The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information
which results in a double evaluation of this information, so a malicious git repository
could trigger a command injection if the user cloned and entered the repository.

A similar method could be used in the refined theme. All themes have been patched against this
vulnerability.
2021-11-11 22:45:40 +01:00

32 lines
1.1 KiB
Bash

# Yay! High voltage and arrows!
prompt_setup_pygmalion(){
setopt localoptions extendedglob
ZSH_THEME_GIT_PROMPT_PREFIX="%{$reset_color%}%{$fg[green]%}"
ZSH_THEME_GIT_PROMPT_SUFFIX="%{$reset_color%} "
ZSH_THEME_GIT_PROMPT_DIRTY="%{$fg[yellow]%}⚡%{$reset_color%}"
ZSH_THEME_GIT_PROMPT_CLEAN=""
base_prompt='%{$fg[magenta]%}%n%{$reset_color%}%{$fg[cyan]%}@%{$reset_color%}%{$fg[yellow]%}%m%{$reset_color%}%{$fg[red]%}:%{$reset_color%}%{$fg[cyan]%}%0~%{$reset_color%}%{$fg[red]%}|%{$reset_color%}'
post_prompt='%{$fg[cyan]%}⇒%{$reset_color%} '
base_prompt_nocolor=${base_prompt//\%\{[^\}]##\}}
post_prompt_nocolor=${post_prompt//\%\{[^\}]##\}}
autoload -U add-zsh-hook
add-zsh-hook precmd prompt_pygmalion_precmd
}
prompt_pygmalion_precmd(){
setopt localoptions nopromptsubst extendedglob
local gitinfo=$(git_prompt_info)
local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")"
local prompt_length=${#exp_nocolor}
PROMPT="${base_prompt}\$(git_prompt_info)${post_prompt}"
}
prompt_setup_pygmalion