• Marc Cornellà's avatar
    fix(plugins): fix potential command injection in `rand-quote` and `hitokoto` · 72928432
    Marc Cornellà authored
    The `rand-quote` plugin uses quotationspage.com and prints part of its content to the
    shell without sanitization, which could trigger command injection. There is no evidence
    that this has been exploited, but this commit removes all possibility for exploit.
    
    Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the
    shell, also without sanitization. Furthermore, there is also no evidence that this has
    been exploited, but with this change it is now impossible.
    Unverified
    72928432
rand-quote.plugin.zsh 699 Bytes
if ! (( $+commands[curl] )); then
  echo "rand-quote plugin needs curl to work" >&2
  return
fi

function quote {
  setopt localoptions nopromptsubst

  # Get random quote data
  local data
  data="$(command curl -s --connect-timeout 2 "http://www.quotationspage.com/random.php" \
    | iconv -c -f ISO-8859-1 -t UTF-8 \
    | command grep -a -m 1 'dt class="quote"')"

  # Exit if could not fetch random quote
  [[ -n "$data" ]] || return 0

  local quote author
  quote=$(sed -e 's|</dt>.*||g' -e 's|.*html||g' -e 's|^[^a-zA-Z]*||' -e 's|</a..*$||g' <<< "$data")
  author=$(sed -e 's|.*/quotes/||g' -e 's|<.*||g' -e 's|.*">||g' <<< "$data")

  print -P "%F{3}${author}%f: “%F{5}${quote}%f”"
}