Skip to content

O
oh-my-zsh
Unverified Commit 6cb41b70 authored by Marc Cornellà's avatar Marc Cornellà
Browse files
Options

fix(lib): fix `omz_urldecode` unsafe eval bug

The `omz_urldecode` function uses an eval to decode the input which can be exploited to inject commands. This is used only in the svn plugin and it requires a complex process to exploit, so it is highly unlikely to have been used by an attacker.
parent 1448d234
Hide whitespace changes
Inline Side-by-side
Showing with 2 additions and 3 deletions
lib/functions.zsh
View file @ 6cb41b70
...@@ -237,12 +237,11 @@ function omz_urldecode { ...@@ -237,12 +237,11 @@ function omz_urldecode {
tmp=${tmp:gs/\\/\\\\/} tmp=${tmp:gs/\\/\\\\/}
# Handle %-escapes by turning them into `\xXX` printf escapes # Handle %-escapes by turning them into `\xXX` printf escapes
tmp=${tmp:gs/%/\\x/} tmp=${tmp:gs/%/\\x/}
local decoded local decoded="$(printf -- "$tmp")"
eval "decoded=\$'$tmp'"
# Now we have a UTF-8 encoded string in the variable. We need to re-encode # Now we have a UTF-8 encoded string in the variable. We need to re-encode
# it if caller is in a non-UTF-8 locale. # it if caller is in a non-UTF-8 locale.
local safe_encodings local -a safe_encodings
safe_encodings=(UTF-8 utf8 US-ASCII) safe_encodings=(UTF-8 utf8 US-ASCII)
if [[ -z ${safe_encodings[(r)$caller_encoding]} ]]; then if [[ -z ${safe_encodings[(r)$caller_encoding]} ]]; then
decoded=$(echo -E "$decoded" | iconv -f UTF-8 -t $caller_encoding) decoded=$(echo -E "$decoded" | iconv -f UTF-8 -t $caller_encoding)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment