diff options
author | Oliver Kiddle <opk@zsh.org> | 2021-12-15 01:56:40 +0100 |
---|---|---|
committer | dana <dana@dana.is> | 2022-01-27 19:42:54 -0600 |
commit | c187154f47697cdbf822c2f9d714d570ed4a0fd1 (patch) | |
tree | 5cd032e2e1787af033392d6f2ed167937cd4298a | |
parent | 77d203f3fbbd76386bf197f9776269a1de580bb5 (diff) | |
download | zsh-c187154f47697cdbf822c2f9d714d570ed4a0fd1.tar.gz zsh-c187154f47697cdbf822c2f9d714d570ed4a0fd1.tar.xz zsh-c187154f47697cdbf822c2f9d714d570ed4a0fd1.zip |
security/41: Don't perform PROMPT_SUBST evaluation on %F/%K arguments
Mitigates CVE-2021-45444
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | Src/prompt.c | 10 |
2 files changed, 15 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog index 8d7dfc169..eb248ec06 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2022-01-27 dana <dana@dana.is> + + * Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive + PROMPT_SUBST + 2020-02-14 dana <dana@dana.is> * unposted: Config/version.mk: Update for 5.8 diff --git a/Src/prompt.c b/Src/prompt.c index b65bfb86b..91e21c8e9 100644 --- a/Src/prompt.c +++ b/Src/prompt.c @@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg) bv->fm += 2; /* skip over F{ */ if ((ep = strchr(bv->fm, '}'))) { char oc = *ep, *col, *coll; + int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG]; + int opp = opts[PROMPTPERCENT]; + + opts[PROMPTPERCENT] = 1; + opts[PROMPTSUBST] = opts[PROMPTBANG] = 0; + *ep = '\0'; /* expand the contents of the argument so you can use * %v for example */ @@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg) arg = match_colour((const char **)&coll, is_fg, 0); free(col); bv->fm = ep; + + opts[PROMPTSUBST] = ops; + opts[PROMPTBANG] = opb; + opts[PROMPTPERCENT] = opp; } else { arg = match_colour((const char **)&bv->fm, is_fg, 0); if (*bv->fm != '}') |