mirror of
https://github.com/ohmyzsh/ohmyzsh.git
synced 2024-12-12 20:21:02 +01:00
ef3f7c43a9
This lib function applies a patch to the VCS_INFO_formats function
in zsh versions from v5.0.3 until v5.8, which don't quote % chars
in some arguments received. Normally that just means that some
% characters in these strings (branch names, directories, etc.)
will be incorrectly parsed as formatting sequences.
With CVE-2021-45444, however, this means that one of these strings
from a malicious source (e.g. a malicious git repository) can
trigger command injection and run arbitrary code in the user's
machine when visiting such git repository.
Zsh 5.8.1 fixes this vulnerability [1], but older vcs_info setups
still need a workaround such as this one to patch the vulnerability.
[1]
|
||
---|---|---|
.. | ||
bzr.zsh | ||
cli.zsh | ||
clipboard.zsh | ||
compfix.zsh | ||
completion.zsh | ||
correction.zsh | ||
diagnostics.zsh | ||
directories.zsh | ||
functions.zsh | ||
git.zsh | ||
grep.zsh | ||
history.zsh | ||
key-bindings.zsh | ||
misc.zsh | ||
nvm.zsh | ||
prompt_info_functions.zsh | ||
spectrum.zsh | ||
termsupport.zsh | ||
theme-and-appearance.zsh | ||
vcs_info.zsh |