security/41: Don't perform PROMPT_SUBST evaluation on %F/%K arguments

Mitigates CVE-2021-45444

2 files changed, 15 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 8d7dfc169..eb248ec06 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2022-01-27  dana  <dana@dana.is>
+
+	* Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
+	PROMPT_SUBST
+
 2020-02-14  dana  <dana@dana.is>
 
 	* unposted: Config/version.mk: Update for 5.8
diff --git a/Src/prompt.c b/Src/prompt.c
index b65bfb86b..91e21c8e9 100644
--- a/Src/prompt.c
+++ b/Src/prompt.c
@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg)
 	bv->fm += 2; /* skip over F{ */
 	if ((ep = strchr(bv->fm, '}'))) {
 	    char oc = *ep, *col, *coll;
+	    int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG];
+	    int opp = opts[PROMPTPERCENT];
+
+	    opts[PROMPTPERCENT] = 1;
+	    opts[PROMPTSUBST] = opts[PROMPTBANG] = 0;
+
 	    *ep = '\0';
 	    /* expand the contents of the argument so you can use
 	     * %v for example */
@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg)
 	    arg = match_colour((const char **)&coll, is_fg, 0);
 	    free(col);
 	    bv->fm = ep;
+
+	    opts[PROMPTSUBST] = ops;
+	    opts[PROMPTBANG] = opb;
+	    opts[PROMPTPERCENT] = opp;
 	} else {
 	    arg = match_colour((const char **)&bv->fm, is_fg, 0);
 	    if (*bv->fm != '}')