In BSD awk, \s is not a valid sequence interchangeable with "space or tab characters"
as it is in GNU awk. This fix uses [ \t] instead, which is all the possibilities that
we need to contemplate when reading the .zshrc file.
Fixes#11146
Since `set -e` is enabled, when `commit.gpgsign` is not set the
`git config` command would show an error. Given that it is technically
not ignored, the subshell would exit.
With this change, the `commit.gpgsign` setting is properly tested
by doing the fallback test if the command fails, so no exit status
code ends up quiting the subshell.
This lib function applies a patch to the VCS_INFO_formats function
in zsh versions from v5.0.3 until v5.8, which don't quote % chars
in some arguments received. Normally that just means that some
% characters in these strings (branch names, directories, etc.)
will be incorrectly parsed as formatting sequences.
With CVE-2021-45444, however, this means that one of these strings
from a malicious source (e.g. a malicious git repository) can
trigger command injection and run arbitrary code in the user's
machine when visiting such git repository.
Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups
still need a workaround such as this one to patch the vulnerability.
[1] c3ea1e5d52
The commands `omz plugin {enable,disable}` and `omz theme set`
automatically reload the zsh session on success. With this
change, the CLI checks whether the commands are run in an
interactive session before reloading the zsh session.
This change also conditionally sets the completion function
for `omz` so that it's not done in a non-interactive session.
The `title` function unsafely prints its input without sanitization, which if used
with custom user code that calls it, it could trigger command injection.
The `spectrum_ls` and `spectrum_bls` could similarly be exploited if a variable is
changed in the user's shell environment with a carefully crafted value. This is
highly unlikely to occur (and if possible, other methods would be used instead),
but with this change the exploit of these two functions is now impossible.
The `omz_urldecode` function uses an eval to decode the input which can be
exploited to inject commands. This is used only in the svn plugin and it
requires a complex process to exploit, so it is highly unlikely to have been
used by an attacker.
BREAKING CHANGE: the `zsh_reload` plugin is deprecated. Instead of using its `src`
function, use `omz reload` or `exec zsh` to reload zsh after making changes to
your `.zshrc` file.
Closes#9078