Skip to content

O
oh-my-zsh
Switch branch/tag
  1. 21 Feb, 2022 2 commits
  3. 13 Feb, 2022 1 commit
    • Marc Cornellà's avatar
      fix: apply workaround patch for vcs_info (CVE-2021-45444) · ef3f7c43
      Marc Cornellà authored 
      This lib function applies a patch to the VCS_INFO_formats function
in zsh versions from v5.0.3 until v5.8, which don't quote % chars
in some arguments received. Normally that just means that some
% characters in these strings (branch names, directories, etc.)
will be incorrectly parsed as formatting sequences.

With CVE-2021-45444, however, this means that one of these strings
from a malicious source (e.g. a malicious git repository) can
trigger command injection and run arbitrary code in the user's
machine when visiting such git repository.

Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups
still need a workaround such as this one to patch the vulnerability.

[1] https://github.com/zsh-users/zsh/commit/c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790
      ef3f7c43
  5. 10 Feb, 2022 1 commit
  7. 02 Feb, 2022 1 commit
    • Marc Cornellà's avatar
      fix(cli): allow `omz` commands to be used in a script (#10645) · e1a9d0ce
      Marc Cornellà authored 
      The commands `omz plugin {enable,disable}` and `omz theme set`
automatically reload the zsh session on success. With this
change, the CLI checks whether the commands are run in an
interactive session before reloading the zsh session.

This change also conditionally sets the completion function
for `omz` so that it's not done in a non-interactive session.
      e1a9d0ce
  9. 24 Jan, 2022 1 commit
  11. 22 Jan, 2022 1 commit
  13. 17 Jan, 2022 1 commit
  15. 13 Jan, 2022 1 commit
  17. 09 Jan, 2022 1 commit
  19. 03 Jan, 2022 2 commits
  21. 21 Dec, 2021 1 commit
  23. 16 Dec, 2021 1 commit
  25. 13 Dec, 2021 2 commits
  27. 30 Nov, 2021 1 commit
  29. 25 Nov, 2021 1 commit
  31. 11 Nov, 2021 2 commits
    • Marc Cornellà's avatar
      fix(lib): fix potential command injection in `title` and `spectrum` functions · a263cdac
      Marc Cornellà authored 
      The `title` function unsafely prints its input without sanitization, which if used
with custom user code that calls it, it could trigger command injection.

The `spectrum_ls` and `spectrum_bls` could similarly be exploited if a variable is
changed in the user's shell environment with a carefully crafted value. This is
highly unlikely to occur (and if possible, other methods would be used instead),
but with this change the exploit of these two functions is now impossible.
      a263cdac
    • Marc Cornellà's avatar
      fix(lib): fix `omz_urldecode` unsafe eval bug · 6cb41b70
      Marc Cornellà authored 
      The `omz_urldecode` function uses an eval to decode the input which can be
exploited to inject commands. This is used only in the svn plugin and it
requires a complex process to exploit, so it is highly unlikely to have been
used by an attacker.
      6cb41b70
  33. 10 Nov, 2021 1 commit
  35. 09 Nov, 2021 2 commits
  37. 02 Nov, 2021 1 commit
  39. 25 Oct, 2021 1 commit
  41. 10 Oct, 2021 1 commit
  43. 09 Oct, 2021 1 commit
  45. 05 Oct, 2021 1 commit
  47. 04 Oct, 2021 1 commit
  49. 30 Sep, 2021 2 commits
  51. 29 Sep, 2021 2 commits
  53. 22 Sep, 2021 1 commit
  55. 18 Aug, 2021 2 commits
  57. 17 Aug, 2021 4 commits