From 5cd3380d9ddaa45f912339e9cac00dc7457202cb Mon Sep 17 00:00:00 2001 From: Samantha McVey Date: Wed, 5 Jul 2017 11:56:41 -0700 Subject: [PATCH] [prompt/sorin] Fix branch code exploit vulnerability Escape all $ except the first $. Escape all backtick `'s. This prevents variable names or shell expansions placed as branch names from remotely exploiting code. Fixes issue #1267 for sorin prompt. --- modules/prompt/functions/prompt_sorin_setup | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/modules/prompt/functions/prompt_sorin_setup b/modules/prompt/functions/prompt_sorin_setup index 272e4f4e..3a2a9f71 100644 --- a/modules/prompt/functions/prompt_sorin_setup +++ b/modules/prompt/functions/prompt_sorin_setup @@ -54,7 +54,23 @@ function prompt_sorin_precmd_async { # Get Git repository information. if (( $+functions[git-info] )); then git-info - typeset -p git_info >! "$_prompt_sorin_precmd_async_data" + ### TODO XXX + # This section exists to patch over vulnerabilities when sourcing the + # file in $_prompt_sorin_precmd_async_data. Without it if a branch is named + # $foo it will expand if we have a $foo variable, and a branch named + # $(IFS=_;cmd=rm_-rf_~;$cmd) could delete the users home directory. + # This is a stopgap to prevent code execution and fix the vulnerability, + # but it eventually needs to be removed in favor of zsh_async and not using + # a file to store the prompt data in. + ### + local tmp_prompt_var=$(typeset -p git_info) + # Replace all $ with $\ to escape + tmp_prompt_var=${tmp_prompt_var//\$/\\$} + # Unescape the first \$ as it's our $( ) + tmp_prompt_var=${tmp_prompt_var:s/\\$/\$} + # Escape all backticks ` to \` + tmp_prompt_var=${tmp_prompt_var//\`/\\\`} + printf "%s\n" "$tmp_prompt_var" >! "$_prompt_sorin_precmd_async_data" fi # Signal completion to parent process.