security/41: Don't perform PROMPT_SUBST evaluation on %F/%K arguments

Mitigates CVE-2021-45444 (cherry picked from commit c187154f47)
2024-05-10 01:26:17 +02:00 · 2021-12-15 01:56:40 +01:00 · 2021-12-15 01:56:40 +01:00 · c3ea1e5d52
parent fc18b7c8a2
commit c3ea1e5d52
2 changed files with 15 additions and 0 deletions
--- a/5
+++ b/5
@ -1,3 +1,8 @@
+2022-02-12  dana  <dana@dana.is>
+
+	* Oliver Kiddle: security/41: Src/prompt.c: Prevent recursive
+	PROMPT_SUBST
+
 2022-02-04  Jun-ichi Takimoto  <takimoto-j@kba.biglobe.ne.jp>

 	* 49730: Completion/Unix/Command/_csplit,
--- a/Src/prompt.c
+++ b/Src/prompt.c
@ -244,6 +244,12 @@ parsecolorchar(zattr arg, int is_fg)
 	bv->fm += 2; /* skip over F{ */
 	if ((ep = strchr(bv->fm, '}'))) {
 	    char oc = *ep, *col, *coll;
+	    int ops = opts[PROMPTSUBST], opb = opts[PROMPTBANG];
+	    int opp = opts[PROMPTPERCENT];
+
+	    opts[PROMPTPERCENT] = 1;
+	    opts[PROMPTSUBST] = opts[PROMPTBANG] = 0;
+
 	    *ep = '\0';
 	    /* expand the contents of the argument so you can use
 	     * %v for example */
@ -252,6 +258,10 @@ parsecolorchar(zattr arg, int is_fg)
 	    arg = match_colour((const char **)&coll, is_fg, 0);
 	    free(col);
 	    bv->fm = ep;
+
+	    opts[PROMPTSUBST] = ops;
+	    opts[PROMPTBANG] = opb;
+	    opts[PROMPTPERCENT] = opp;
 	} else {
 	    arg = match_colour((const char **)&bv->fm, is_fg, 0);
 	    if (*bv->fm != '}')