mirror of
https://github.com/ohmyzsh/ohmyzsh.git
synced 2025-12-05 01:46:46 +01:00
ef3f7c43a9This lib function applies a patch to the VCS_INFO_formats function
in zsh versions from v5.0.3 until v5.8, which don't quote % chars
in some arguments received. Normally that just means that some
% characters in these strings (branch names, directories, etc.)
will be incorrectly parsed as formatting sequences.
With CVE-2021-45444, however, this means that one of these strings
from a malicious source (e.g. a malicious git repository) can
trigger command injection and run arbitrary code in the user's
machine when visiting such git repository.
Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups
still need a workaround such as this one to patch the vulnerability.
[1]
|
||
|---|---|---|
| .. | ||
| bzr.zsh | ||
| cli.zsh | ||
| clipboard.zsh | ||
| compfix.zsh | ||
| completion.zsh | ||
| correction.zsh | ||
| diagnostics.zsh | ||
| directories.zsh | ||
| functions.zsh | ||
| git.zsh | ||
| grep.zsh | ||
| history.zsh | ||
| key-bindings.zsh | ||
| misc.zsh | ||
| nvm.zsh | ||
| prompt_info_functions.zsh | ||
| spectrum.zsh | ||
| termsupport.zsh | ||
| theme-and-appearance.zsh | ||
| vcs_info.zsh | ||