Fix command injection via malicious repository config

This is a mitigation for #45 and is the same method that was implemented by the fish shell maintainers in fish-shell/fish-shell#8589
jaspernbrouwer · Oct 9, 2022 · fe8e963 · fe8e963
1 parent 8000c7f
commit fe8e963
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/powerline_gitstatus/segments.py b/powerline_gitstatus/segments.py
@@ -27,13 +27,13 @@ def execute(self, pl, command):
 
     def get_base_command(self, cwd, use_dash_c):
         if use_dash_c:
-            return ['git', '-C', cwd]
+            return ['git', '-c', 'core.fsmonitor=', '-C', cwd]
 
         while cwd and cwd != os.sep:
             gitdir = os.path.join(cwd, '.git')
 
             if os.path.isdir(gitdir):
-                return ['git', '--git-dir=%s' % gitdir, '--work-tree=%s' % cwd]
+                return ['git', '-c', 'core.fsmonitor=', '--git-dir=%s' % gitdir, '--work-tree=%s' % cwd]
 
             cwd = os.path.dirname(cwd)