Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
fix(plugins): fix potential command injection in
rand-quote and `hi…
…tokoto` The `rand-quote` plugin uses quotationspage.com and prints part of its content to the shell without sanitization, which could trigger command injection. There is no evidence that this has been exploited, but this commit removes all possibility for exploit. Similarly, the `hitokoto` plugin uses the hitokoto.cn website to print quotes to the shell, also without sanitization. Furthermore, there is also no evidence that this has been exploited, but with this change it is now impossible.
- Loading branch information
Showing
2 changed files
with
27 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,18 @@ | ||
| if ! (( $+commands[curl] )); then | ||
| echo "hitokoto plugin needs curl to work" >&2 | ||
| return | ||
| echo "hitokoto plugin needs curl to work" >&2 | ||
| return | ||
| fi | ||
|
|
||
| function hitokoto { | ||
| emulate -L zsh | ||
| Q=$(curl -s --connect-timeout 2 "https://v1.hitokoto.cn" | jq -j '.hitokoto+"\t"+.from') | ||
| setopt localoptions nopromptsubst | ||
|
|
||
| TXT=$(echo "$Q" | awk -F '\t' '{print $1}') | ||
| WHO=$(echo "$Q" | awk -F '\t' '{print $2}') | ||
| # Get hitokoto data | ||
| local -a data | ||
| data=("${(ps:\n:)"$(command curl -s --connect-timeout 2 "https://v1.hitokoto.cn" | command jq -j '.hitokoto+"\n"+.from')"}") | ||
|
|
||
| [[ -n "$WHO" && -n "$TXT" ]] && print -P "%F{3}${WHO}%f: “%F{5}${TXT}%f”" | ||
| # Exit if could not fetch hitokoto | ||
| [[ -n "$data" ]] || return 0 | ||
|
|
||
| local quote="${data[1]}" author="${data[2]}" | ||
| print -P "%F{3}${author}%f: “%F{5}${quote}%f”" | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,23 @@ | ||
| if ! (( $+commands[curl] )); then | ||
| echo "rand-quote plugin needs curl to work" >&2 | ||
| return | ||
| echo "rand-quote plugin needs curl to work" >&2 | ||
| return | ||
| fi | ||
|
|
||
| function quote { | ||
| emulate -L zsh | ||
| Q=$(curl -s --connect-timeout 2 "http://www.quotationspage.com/random.php" | iconv -c -f ISO-8859-1 -t UTF-8 | grep -m 1 "dt ") | ||
| setopt localoptions nopromptsubst | ||
|
|
||
| TXT=$(echo "$Q" | sed -e 's/<\/dt>.*//g' -e 's/.*html//g' -e 's/^[^a-zA-Z]*//' -e 's/<\/a..*$//g') | ||
| WHO=$(echo "$Q" | sed -e 's/.*\/quotes\///g' -e 's/<.*//g' -e 's/.*">//g') | ||
| # Get random quote data | ||
| local data | ||
| data="$(command curl -s --connect-timeout 2 "http://www.quotationspage.com/random.php" \ | ||
| | iconv -c -f ISO-8859-1 -t UTF-8 \ | ||
| | command grep -a -m 1 'dt class="quote"')" | ||
|
|
||
| [[ -n "$WHO" && -n "$TXT" ]] && print -P "%F{3}${WHO}%f: “%F{5}${TXT}%f”" | ||
| # Exit if could not fetch random quote | ||
| [[ -n "$data" ]] || return 0 | ||
|
|
||
| local quote author | ||
| quote=$(sed -e 's|</dt>.*||g' -e 's|.*html||g' -e 's|^[^a-zA-Z]*||' -e 's|</a..*$||g' <<< "$data") | ||
| author=$(sed -e 's|.*/quotes/||g' -e 's|<.*||g' -e 's|.*">||g' <<< "$data") | ||
|
|
||
| print -P "%F{3}${author}%f: “%F{5}${quote}%f”" | ||
| } |