[prompt/sorin] Fix branch code exploit vulnerability

Escape all $ except the first $. Escape all backtick `'s. This prevents
variable names or shell expansions placed as branch names from
remotely exploiting code.

Fixes issue #1267 for sorin prompt.
This commit is contained in:
Samantha McVey 2017-07-05 11:56:41 -07:00 committed by Kaleb Elwert
parent c6124d4d37
commit 5cd3380d9d

View file

@ -54,7 +54,23 @@ function prompt_sorin_precmd_async {
# Get Git repository information.
if (( $+functions[git-info] )); then
git-info
typeset -p git_info >! "$_prompt_sorin_precmd_async_data"
### TODO XXX
# This section exists to patch over vulnerabilities when sourcing the
# file in $_prompt_sorin_precmd_async_data. Without it if a branch is named
# $foo it will expand if we have a $foo variable, and a branch named
# $(IFS=_;cmd=rm_-rf_~;$cmd) could delete the users home directory.
# This is a stopgap to prevent code execution and fix the vulnerability,
# but it eventually needs to be removed in favor of zsh_async and not using
# a file to store the prompt data in.
###
local tmp_prompt_var=$(typeset -p git_info)
# Replace all $ with $\ to escape
tmp_prompt_var=${tmp_prompt_var//\$/\\$}
# Unescape the first \$ as it's our $( )
tmp_prompt_var=${tmp_prompt_var:s/\\$/\$}
# Escape all backticks ` to \`
tmp_prompt_var=${tmp_prompt_var//\`/\\\`}
printf "%s\n" "$tmp_prompt_var" >! "$_prompt_sorin_precmd_async_data"
fi
# Signal completion to parent process.