From 9ce87af4ced4e21258e6003f1fb65b05ca5a7d14 Mon Sep 17 00:00:00 2001 From: Oliver Kiddle Date: Wed, 15 Dec 2021 01:56:40 +0100 Subject: [PATCH] security/41: Don't perform PROMPT_SUBST evaluation on %F/%K arguments Mitigates CVE-2021-45444 Upstream-commit: c187154f47697cdbf822c2f9d714d570ed4a0fd1 Signed-off-by: Kamil Dudka --- Src/prompt.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Src/prompt.c b/Src/prompt.c index 95da525..1368f8e 100644 --- a/Src/prompt.c +++ b/Src/prompt.c @@ -244,6 +244,12 @@ parsecolorchar(int arg, int is_fg) bv->fm += 2; /* skip over F{ */ if ((ep = strchr(bv->fm, '}'))) { char oc = *ep, *col, *coll; + int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG]; + int opp = opts[PROMPTPERCENT]; + + opts[PROMPTPERCENT] = 1; + opts[PROMPTSUBST] = opts[PROMPTBANG] = 0; + *ep = '\0'; /* expand the contents of the argument so you can use * %v for example */ @@ -252,6 +258,10 @@ parsecolorchar(int arg, int is_fg) arg = match_colour((const char **)&coll, is_fg, 0); free(col); bv->fm = ep; + + opts[PROMPTSUBST] = ops; + opts[PROMPTBANG] = opb; + opts[PROMPTPERCENT] = opp; } else { arg = match_colour((const char **)&bv->fm, is_fg, 0); if (*bv->fm != '}') -- 2.34.1