Merge pull request magicmonty#325 from ogr3/bash-git-rc

[security] Check the syntax of .bash-git-rc before sourcing it, Fixes magicmonty#324
ogr3 · May 4, 2017 · 7e95f15 · 7e95f15
2 parents 50a3159 + 19d941d
commit 7e95f15
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/gitprompt.sh b/gitprompt.sh
@@ -346,7 +346,13 @@ function setGitPrompt() {
   unset GIT_PROMPT_SHOW_UNTRACKED_FILES
 
   if [[ -e "$repo/.bash-git-rc" ]]; then
-    source "$repo/.bash-git-rc"
+    # The config file can only contain variable declarations on the form A_B=0 or G_P=all
+    local CONFIG_SYNTAX="^(FETCH_REMOTE_STATUS|GIT_PROMPT_SHOW_UNTRACKED_FILES|GIT_PROMPT_IGNORE)=[0-9a-z]+$"
+    if egrep -q -v "$CONFIG_SYNTAX" "$repo/.bash-git-rc"; then
+      echo ".bash-git-rc can only contain variable values on the form NAME=value. Ignoring file." >&2
+    else
+      source "$repo/.bash-git-rc"
+    fi
   fi
 
   if [ -z "${GIT_PROMPT_SHOW_UNTRACKED_FILES}" ]; then