Awesome
pw3nage
If you get pw3ned, might want to fix your shell
This is a rather silly POC of a vulnerability in custom shell prompt scripts that I suspect is rather widespread. I noticed
when working on a branch that included (for the sake of cuteness) a $
that my prompt that usually includes the branch
name had a bunch of gibberish. I suspected the zsh pluging I was using did not properly escape shell metacharacters, so
I tried a few more things and landed on this.
How it works:
- This repo has an unusually-named default branch of
$(./pw3n)
- The repo contains a script at the path referenced in the branch name
- When you cd to this repo, if your shell prompt tries to display your branch name and does't correctly escape $(..) expressions, it will execute
./pw3n
Fixes:
- only show whitelisted characters
branch=${BRANCH//[^a-z0-9\/]/-}
- construct PS1 to reference a variable that holds the branch name official git prompt fix