fix(lib): fix `omz_urldecode` unsafe eval bug

The `omz_urldecode` function uses an eval to decode the input which can be exploited to inject commands. This is used only in the svn plugin and it requires a complex process to exploit, so it is highly unlikely to have been used by an attacker.

fix(lib): fix `omz_urldecode` unsafe eval bug
The `omz_urldecode` function uses an eval to decode the input which can be exploited to inject commands. This is used only in the svn plugin and it requires a complex process to exploit, so it is highly unlikely to have been used by an attacker.
6cb41b70 · Marc Cornellà · 1448d234 · 6cb41b70
Unverified Commit 6cb41b70 authored Nov 08, 2021 by Marc Cornellà
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 3 deletions

functions.zsh lib/functions.zsh +2 -3

No files found.
--- a/lib/functions.zsh
+++ b/lib/functions.zsh
@@ -237,12 +237,11 @@ function omz_urldecode {
  tmp=${tmp:gs/\\/\\\\/}
  # Handle %-escapes by turning them into `\xXX` printf escapes
  tmp=${tmp:gs/%/\\x/}
-  local decoded
-  eval "decoded=\$'$tmp'"
+  local decoded="$(printf -- "$tmp")"

  # Now we have a UTF-8 encoded string in the variable. We need to re-encode
  # it if caller is in a non-UTF-8 locale.
-  local safe_encodings
+  local -a safe_encodings
  safe_encodings=(UTF-8 utf8 US-ASCII)
  if [[ -z ${safe_encodings[(r)$caller_encoding]} ]]; then
    decoded=$(echo -E "$decoded" | iconv -f UTF-8 -t $caller_encoding)