-
Marc Cornellà authoredThis lib function applies a patch to the VCS_INFO_formats function in zsh versions from v5.0.3 until v5.8, which don't quote % chars in some arguments received. Normally that just means that some % characters in these strings (branch names, directories, etc.) will be incorrectly parsed as formatting sequences. With CVE-2021-45444, however, this means that one of these strings from a malicious source (e.g. a malicious git repository) can trigger command injection and run arbitrary code in the user's machine when visiting such git repository. Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups still need a workaround such as this one to patch the vulnerability. [1] https://github.com/zsh-users/zsh/commit/c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790
| Name |
Last commit
|
Last update |
|---|---|---|
| .github | ||
| cache | ||
| custom | ||
| lib | ||
| log | ||
| plugins | ||
| templates | ||
| themes | ||
| tools | ||
| .editorconfig | ||
| .gitignore | ||
| .gitpod.Dockerfile | ||
| .gitpod.yml | ||
| CODE_OF_CONDUCT.md | ||
| CONTRIBUTING.md | ||
| LICENSE.txt | ||
| README.md | ||
| SECURITY.md | ||
| oh-my-zsh.sh |