lib · ef3f7c43a91eb2c90098843b0ee9193bb52cdc96 · github / oh-my-zsh

fix: apply workaround patch for vcs_info (-45444) · ef3f7c43

Marc Cornellà authored Feb 13, 2022

This lib function applies a patch to the VCS_INFO_formats function
in zsh versions from v5.0.3 until v5.8, which don't quote % chars
in some arguments received. Normally that just means that some
% characters in these strings (branch names, directories, etc.)
will be incorrectly parsed as formatting sequences.

With CVE-2021-45444, however, this means that one of these strings
from a malicious source (e.g. a malicious git repository) can
trigger command injection and run arbitrary code in the user's
machine when visiting such git repository.

Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups
still need a workaround such as this one to patch the vulnerability.

[1] https://github.com/zsh-users/zsh/commit/c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790

ef3f7c43

Name	Last commit	Last update
..
bzr.zsh		Loading commit data...
cli.zsh		Loading commit data...
clipboard.zsh		Loading commit data...
compfix.zsh		Loading commit data...
completion.zsh		Loading commit data...
correction.zsh		Loading commit data...
diagnostics.zsh		Loading commit data...
directories.zsh		Loading commit data...
functions.zsh		Loading commit data...
git.zsh		Loading commit data...
grep.zsh		Loading commit data...
history.zsh		Loading commit data...
key-bindings.zsh		Loading commit data...
misc.zsh		Loading commit data...
nvm.zsh		Loading commit data...
prompt_info_functions.zsh		Loading commit data...
spectrum.zsh		Loading commit data...
termsupport.zsh		Loading commit data...
theme-and-appearance.zsh		Loading commit data...
vcs_info.zsh		Loading commit data...

Download source code

Download this directory