diff options
| author | Junio C Hamano <gitster@pobox.com> | 2014-05-08 10:01:18 -0700 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2014-05-08 10:01:18 -0700 |
| commit | 6eca9c0e878dc1e6c8cab64c16183401e0580ea0 (patch) | |
| tree | b4c6041622c9c4656d06adfc6cea45a2a34f245b /contrib | |
| parent | e79fcfcd3f95b1a6b4df11b889c69a80864354b0 (diff) | |
| parent | 8976500cbbb13270398d3b3e07a17b8cc7bff43f (diff) | |
| download | git-6eca9c0e878dc1e6c8cab64c16183401e0580ea0.tar.gz | |
Merge branch 'rh/prompt-pcmode-avoid-eval-on-refname' into maint
The shell prompt script (in contrib/), when using the PROMPT_COMMAND
interface, used an unsafe construct when showing the branch name in
$PS1.
* rh/prompt-pcmode-avoid-eval-on-refname:
git-prompt.sh: don't put unsanitized branch names in $PS1
Diffstat (limited to 'contrib')
| -rw-r--r-- | contrib/completion/git-prompt.sh | 34 |
1 files changed, 32 insertions, 2 deletions
diff --git a/contrib/completion/git-prompt.sh b/contrib/completion/git-prompt.sh index 7b732d2aeb..bd7ff291b2 100644 --- a/contrib/completion/git-prompt.sh +++ b/contrib/completion/git-prompt.sh @@ -207,7 +207,18 @@ __git_ps1_show_upstream () p=" u+${count#* }-${count% *}" ;; esac if [[ -n "$count" && -n "$name" ]]; then - p="$p $(git rev-parse --abbrev-ref "$upstream" 2>/dev/null)" + __git_ps1_upstream_name=$(git rev-parse \ + --abbrev-ref "$upstream" 2>/dev/null) + if [ $pcmode = yes ]; then + # see the comments around the + # __git_ps1_branch_name variable below + p="$p \${__git_ps1_upstream_name}" + else + p="$p ${__git_ps1_upstream_name}" + # not needed anymore; keep user's + # environment clean + unset __git_ps1_upstream_name + fi fi fi @@ -438,8 +449,27 @@ __git_ps1 () __git_ps1_colorize_gitstring fi + b=${b##refs/heads/} + if [ $pcmode = yes ]; then + # In pcmode (and only pcmode) the contents of + # $gitstring are subject to expansion by the shell. + # Avoid putting the raw ref name in the prompt to + # protect the user from arbitrary code execution via + # specially crafted ref names (e.g., a ref named + # '$(IFS=_;cmd=sudo_rm_-rf_/;$cmd)' would execute + # 'sudo rm -rf /' when the prompt is drawn). Instead, + # put the ref name in a new global variable (in the + # __git_ps1_* namespace to avoid colliding with the + # user's environment) and reference that variable from + # PS1. + __git_ps1_branch_name=$b + # note that the $ is escaped -- the variable will be + # expanded later (when it's time to draw the prompt) + b="\${__git_ps1_branch_name}" + fi + local f="$w$i$s$u" - local gitstring="$c${b##refs/heads/}${f:+$z$f}$r$p" + local gitstring="$c$b${f:+$z$f}$r$p" if [ $pcmode = yes ]; then if [ "${__git_printf_supports_v-}" != yes ]; then |