From 5cd3380d9ddaa45f912339e9cac00dc7457202cb Mon Sep 17 00:00:00 2001
From: Samantha McVey <samantham@posteo.net>
Date: Wed, 5 Jul 2017 11:56:41 -0700
Subject: [PATCH] [prompt/sorin] Fix branch code exploit vulnerability

Escape all $ except the first $. Escape all backtick `'s. This prevents
variable names or shell expansions placed as branch names from
remotely exploiting code.

Fixes issue #1267 for sorin prompt.
---
 modules/prompt/functions/prompt_sorin_setup | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/modules/prompt/functions/prompt_sorin_setup b/modules/prompt/functions/prompt_sorin_setup
index 272e4f4..3a2a9f7 100644
--- a/modules/prompt/functions/prompt_sorin_setup
+++ b/modules/prompt/functions/prompt_sorin_setup
@@ -54,7 +54,23 @@ function prompt_sorin_precmd_async {
   # Get Git repository information.
   if (( $+functions[git-info] )); then
     git-info
-    typeset -p git_info >! "$_prompt_sorin_precmd_async_data"
+    ### TODO XXX
+    # This section exists to patch over vulnerabilities when sourcing the
+    # file in $_prompt_sorin_precmd_async_data. Without it if a branch is named
+    # $foo it will expand if we have a $foo variable, and a branch named
+    # $(IFS=_;cmd=rm_-rf_~;$cmd) could delete the users home directory.
+    # This is a stopgap to prevent code execution and fix the vulnerability,
+    # but it eventually needs to be removed in favor of zsh_async and not using
+    # a file to store the prompt data in.
+    ###
+    local tmp_prompt_var=$(typeset -p git_info)
+    # Replace all $ with $\ to escape
+    tmp_prompt_var=${tmp_prompt_var//\$/\\$}
+    # Unescape the first \$ as it's our $( )
+    tmp_prompt_var=${tmp_prompt_var:s/\\$/\$}
+    # Escape all backticks ` to \`
+    tmp_prompt_var=${tmp_prompt_var//\`/\\\`}
+    printf "%s\n" "$tmp_prompt_var" >! "$_prompt_sorin_precmd_async_data"
   fi
 
   # Signal completion to parent process.