fix(lib): fix omz_urldecode unsafe eval bug

The `omz_urldecode` function uses an eval to decode the input which can be
exploited to inject commands. This is used only in the svn plugin and it
requires a complex process to exploit, so it is highly unlikely to have been
used by an attacker.
This commit is contained in:
Marc Cornellà 2021-11-08 17:46:14 +01:00
parent 1448d234d6
commit 6cb41b70a6
No known key found for this signature in database
GPG Key ID: 0314585E776A9C1B

View File

@ -237,12 +237,11 @@ function omz_urldecode {
tmp=${tmp:gs/\\/\\\\/}
# Handle %-escapes by turning them into `\xXX` printf escapes
tmp=${tmp:gs/%/\\x/}
local decoded
eval "decoded=\$'$tmp'"
local decoded="$(printf -- "$tmp")"
# Now we have a UTF-8 encoded string in the variable. We need to re-encode
# it if caller is in a non-UTF-8 locale.
local safe_encodings
local -a safe_encodings
safe_encodings=(UTF-8 utf8 US-ASCII)
if [[ -z ${safe_encodings[(r)$caller_encoding]} ]]; then
decoded=$(echo -E "$decoded" | iconv -f UTF-8 -t $caller_encoding)