BREAKING CHANGE: the `DEFAULT_PROXY` setting has been renamed to `SHELLPROXY_URL`,
and `CONFIG_PROXY` has been renamed to `SHELLPROXY_CONFIG`. See the plugin README
for more information.
Co-authored-by: Marc Cornellà <hello@mcornella.com>
Added the red dot (instead of the default `*`) if the branch is dirty.
The bira theme only supported git, now it supports mercurial as well. It
needed ito call `hg_prompt_info` and the `ZSH_THEME_HG_PROMPT_`
variables.
Closes#6631
BREAKING CHANGE: the `hg_prompt_info` function now uses `ZSH_THEME_HG_PROMPT_PREFIX`
and `ZSH_THEME_HG_PROMPT_SUFFIX` variables when displaying branch information, similar
to the `git_prompt_info` function.
Closes#6631
Replaced two different calls of hg with one `hg --id --branch` for retrieving
information whether we're in a repo (will be empty if not), whether the repo is
dirty (revision id will contain "+" if there are uncommitted changed), and the
branch name.
Closes#6197Closes#7929
When calling `bundle install` with `--jobs=<n>`, bundle persists this
argument in `.bundle/config`. If we run `BUNDLE_JOBS=<n> bundle install`
instead, this is not persisted.
Fixes#10425
BREAKING CHANGE: the plugin now checks for the `docker-compose` command instead
of trying whether `docker compose` is a valid command. This means that if the
old command is still installed it will be used instead. To use `docker compose`,
uninstall any old copies of `docker-compose`.
Fixes#10409
The pygmalion and pygmalion-virtualenv themes unsafely handle git prompt information
which results in a double evaluation of this information, so a malicious git repository
could trigger a command injection if the user cloned and entered the repository.
A similar method could be used in the refined theme. All themes have been patched against this
vulnerability.
The `rand-quote` plugin uses quotationspage.com and prints part of its content to the
shell without sanitization, which could trigger command injection. There is no evidence
that this has been exploited, but this commit removes all possibility for exploit.
Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the
shell, also without sanitization. Furthermore, there is also no evidence that this has
been exploited, but with this change it is now impossible.
The `title` function unsafely prints its input without sanitization, which if used
with custom user code that calls it, it could trigger command injection.
The `spectrum_ls` and `spectrum_bls` could similarly be exploited if a variable is
changed in the user's shell environment with a carefully crafted value. This is
highly unlikely to occur (and if possible, other methods would be used instead),
but with this change the exploit of these two functions is now impossible.
The `omz_urldecode` function uses an eval to decode the input which can be
exploited to inject commands. This is used only in the svn plugin and it
requires a complex process to exploit, so it is highly unlikely to have been
used by an attacker.
