mirror of
https://github.com/ohmyzsh/ohmyzsh.git
synced 2024-11-30 17:50:07 +00:00
b3ba9978cc
The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information which results in a double evaluation of this information, so a malicious git repository could trigger a command injection if the user cloned and entered the repository. A similar method could be used in the refined theme. All themes have been patched against this vulnerability.
32 lines
1.1 KiB
Bash
32 lines
1.1 KiB
Bash
# Yay! High voltage and arrows!
|
|
|
|
prompt_setup_pygmalion(){
|
|
setopt localoptions extendedglob
|
|
|
|
ZSH_THEME_GIT_PROMPT_PREFIX="%{$reset_color%}%{$fg[green]%}"
|
|
ZSH_THEME_GIT_PROMPT_SUFFIX="%{$reset_color%} "
|
|
ZSH_THEME_GIT_PROMPT_DIRTY="%{$fg[yellow]%}⚡%{$reset_color%}"
|
|
ZSH_THEME_GIT_PROMPT_CLEAN=""
|
|
|
|
base_prompt='%{$fg[magenta]%}%n%{$reset_color%}%{$fg[cyan]%}@%{$reset_color%}%{$fg[yellow]%}%m%{$reset_color%}%{$fg[red]%}:%{$reset_color%}%{$fg[cyan]%}%0~%{$reset_color%}%{$fg[red]%}|%{$reset_color%}'
|
|
post_prompt='%{$fg[cyan]%}⇒%{$reset_color%} '
|
|
|
|
base_prompt_nocolor=${base_prompt//\%\{[^\}]##\}}
|
|
post_prompt_nocolor=${post_prompt//\%\{[^\}]##\}}
|
|
|
|
autoload -U add-zsh-hook
|
|
add-zsh-hook precmd prompt_pygmalion_precmd
|
|
}
|
|
|
|
prompt_pygmalion_precmd(){
|
|
setopt localoptions nopromptsubst extendedglob
|
|
|
|
local gitinfo=$(git_prompt_info)
|
|
local gitinfo_nocolor=${gitinfo//\%\{[^\}]##\}}
|
|
local exp_nocolor="$(print -P \"${base_prompt_nocolor}${gitinfo_nocolor}${post_prompt_nocolor}\")"
|
|
local prompt_length=${#exp_nocolor}
|
|
|
|
PROMPT="${base_prompt}\$(git_prompt_info)${post_prompt}"
|
|
}
|
|
|
|
prompt_setup_pygmalion
|