security/41: Don't perform PROMPT_SUBST evaluation on %F/%K arguments

Mitigates CVE-2021-45444 (cherry picked from commit c187154f47697cdbf822c2f9d714d570ed4a0fd1)
author: Oliver Kiddle <opk@zsh.org> 2021-12-15 01:56:40 +0100
committer: dana <dana@dana.is> 2022-02-12 10:29:55 -0600
commit: c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790 (patch)
tree: cdb08b9459058126cc5ece432c8d01dc4ee34bcc /Src/prompt.c
parent: fc18b7c8a29326e8d5233694954f699f7d018704 (diff)
download: zsh-c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790.tar.gz
zsh-c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/Src/prompt.c b/Src/prompt.c
index d6b378539..738c7fc7a 100644
--- a/Src/prompt.c
+++ b/Src/prompt.c
@@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg)
 	bv->fm += 2; /* skip over F{ */
 	if ((ep = strchr(bv->fm, '}'))) {
 	    char oc = *ep, *col, *coll;
+	    int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG];
+	    int opp = opts[PROMPTPERCENT];
+
+	    opts[PROMPTPERCENT] = 1;
+	    opts[PROMPTSUBST] = opts[PROMPTBANG] = 0;
+
 	    *ep = '\0';
 	    /* expand the contents of the argument so you can use
 	     * %v for example */
@@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg)
 	    arg = match_colour((const char **)&coll, is_fg, 0);
 	    free(col);
 	    bv->fm = ep;
+
+	    opts[PROMPTSUBST] = ops;
+	    opts[PROMPTBANG] = opb;
+	    opts[PROMPTPERCENT] = opp;
 	} else {
 	    arg = match_colour((const char **)&bv->fm, is_fg, 0);
 	    if (*bv->fm != '}')
author	Oliver Kiddle <opk@zsh.org>	2021-12-15 01:56:40 +0100
committer	dana <dana@dana.is>	2022-02-12 10:29:55 -0600
commit	c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790 (patch)
tree	cdb08b9459058126cc5ece432c8d01dc4ee34bcc /Src/prompt.c
parent	fc18b7c8a29326e8d5233694954f699f7d018704 (diff)
download	zsh-c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790.tar.gz zsh-c3ea1e5d52eff8b7b172fa8c1ccc3462b43b2790.zip