From: Junio C Hamano <gitster@pobox.com>
Date: Mon, 19 May 2014 23:10:10 +0000 (-0700)
Subject: Merge branch 'rh/prompt-pcmode-avoid-eval-on-refname'
X-Git-Tag: v2.0.0-rc4~4
X-Git-Url: https://git.lorimer.id.au/gitweb.git/diff_plain/df43b41afcc9bf5e4b8751dc9a53b068b33f52a8?ds=inline;hp=-c

Merge branch 'rh/prompt-pcmode-avoid-eval-on-refname'

* rh/prompt-pcmode-avoid-eval-on-refname:
git-prompt.sh: don't assume the shell expands the value of PS1
---

df43b41afcc9bf5e4b8751dc9a53b068b33f52a8
diff --combined contrib/completion/git-prompt.sh
index 853425d005,e7ae736e4b..9d684b10a6
--- a/contrib/completion/git-prompt.sh
+++ b/contrib/completion/git-prompt.sh
@@@ -209,9 -209,7 +209,7 @@@ __git_ps1_show_upstream (
  		if [[ -n "$count" && -n "$name" ]]; then
  			__git_ps1_upstream_name=$(git rev-parse \
  				--abbrev-ref "$upstream" 2>/dev/null)
- 			if [ $pcmode = yes ]; then
- 				# see the comments around the
- 				# __git_ps1_branch_name variable below
+ 			if [ $pcmode = yes ] && [ $ps1_expanded = yes ]; then
  				p="$p \${__git_ps1_upstream_name}"
  			else
  				p="$p ${__git_ps1_upstream_name}"
@@@ -270,13 -268,6 +268,13 @@@ __git_ps1_colorize_gitstring (
  	r="$c_clear$r"
  }
  
 +__git_eread ()
 +{
 +	f="$1"
 +	shift
 +	test -r "$f" && read "$@" <"$f"
 +}
 +
  # __git_ps1 accepts 0 or 1 arguments (i.e., format string)
  # when called from PS1 using command substitution
  # in this mode it prints text to add to bash PS1 prompt (includes branch name)
@@@ -308,6 -299,43 +306,43 @@@ __git_ps1 (
  		;;
  	esac
  
+ 	# ps1_expanded:  This variable is set to 'yes' if the shell
+ 	# subjects the value of PS1 to parameter expansion:
+ 	#
+ 	#   * bash does unless the promptvars option is disabled
+ 	#   * zsh does not unless the PROMPT_SUBST option is set
+ 	#   * POSIX shells always do
+ 	#
+ 	# If the shell would expand the contents of PS1 when drawing
+ 	# the prompt, a raw ref name must not be included in PS1.
+ 	# This protects the user from arbitrary code execution via
+ 	# specially crafted ref names.  For example, a ref named
+ 	# 'refs/heads/$(IFS=_;cmd=sudo_rm_-rf_/;$cmd)' might cause the
+ 	# shell to execute 'sudo rm -rf /' when the prompt is drawn.
+ 	#
+ 	# Instead, the ref name should be placed in a separate global
+ 	# variable (in the __git_ps1_* namespace to avoid colliding
+ 	# with the user's environment) and that variable should be
+ 	# referenced from PS1.  For example:
+ 	#
+ 	#     __git_ps1_foo=$(do_something_to_get_ref_name)
+ 	#     PS1="...stuff...\${__git_ps1_foo}...stuff..."
+ 	#
+ 	# If the shell does not expand the contents of PS1, the raw
+ 	# ref name must be included in PS1.
+ 	#
+ 	# The value of this variable is only relevant when in pcmode.
+ 	#
+ 	# Assume that the shell follows the POSIX specification and
+ 	# expands PS1 unless determined otherwise.  (This is more
+ 	# likely to be correct if the user has a non-bash, non-zsh
+ 	# shell and safer than the alternative if the assumption is
+ 	# incorrect.)
+ 	#
+ 	local ps1_expanded=yes
+ 	[ -z "$ZSH_VERSION" ] || [[ -o PROMPT_SUBST ]] || ps1_expanded=no
+ 	[ -z "$BASH_VERSION" ] || shopt -q promptvars || ps1_expanded=no
+ 
  	local repo_info rev_parse_exit_code
  	repo_info="$(git rev-parse --git-dir --is-inside-git-dir \
  		--is-bare-repository --is-inside-work-tree \
@@@ -339,9 -367,9 +374,9 @@@
  	local step=""
  	local total=""
  	if [ -d "$g/rebase-merge" ]; then
 -		read b 2>/dev/null <"$g/rebase-merge/head-name"
 -		read step 2>/dev/null <"$g/rebase-merge/msgnum"
 -		read total 2>/dev/null <"$g/rebase-merge/end"
 +		__git_eread "$g/rebase-merge/head-name" b
 +		__git_eread "$g/rebase-merge/msgnum" step
 +		__git_eread "$g/rebase-merge/end" total
  		if [ -f "$g/rebase-merge/interactive" ]; then
  			r="|REBASE-i"
  		else
@@@ -349,10 -377,10 +384,10 @@@
  		fi
  	else
  		if [ -d "$g/rebase-apply" ]; then
 -			read step 2>/dev/null <"$g/rebase-apply/next"
 -			read total 2>/dev/null <"$g/rebase-apply/last"
 +			__git_eread "$g/rebase-apply/next" step
 +			__git_eread "$g/rebase-apply/last" total
  			if [ -f "$g/rebase-apply/rebasing" ]; then
 -				read b 2>/dev/null <"$g/rebase-apply/head-name"
 +				__git_eread "$g/rebase-apply/head-name" b
  				r="|REBASE"
  			elif [ -f "$g/rebase-apply/applying" ]; then
  				r="|AM"
@@@ -376,7 -404,7 +411,7 @@@
  			b="$(git symbolic-ref HEAD 2>/dev/null)"
  		else
  			local head=""
 -			if ! read head 2>/dev/null <"$g/HEAD"; then
 +			if ! __git_eread "$g/HEAD" head; then
  				if [ $pcmode = yes ]; then
  					PS1="$ps1pc_start$ps1pc_end"
  				fi
@@@ -457,21 -485,8 +492,8 @@@
  	fi
  
  	b=${b##refs/heads/}
- 	if [ $pcmode = yes ]; then
- 		# In pcmode (and only pcmode) the contents of
- 		# $gitstring are subject to expansion by the shell.
- 		# Avoid putting the raw ref name in the prompt to
- 		# protect the user from arbitrary code execution via
- 		# specially crafted ref names (e.g., a ref named
- 		# '$(IFS=_;cmd=sudo_rm_-rf_/;$cmd)' would execute
- 		# 'sudo rm -rf /' when the prompt is drawn).  Instead,
- 		# put the ref name in a new global variable (in the
- 		# __git_ps1_* namespace to avoid colliding with the
- 		# user's environment) and reference that variable from
- 		# PS1.
+ 	if [ $pcmode = yes ] && [ $ps1_expanded = yes ]; then
  		__git_ps1_branch_name=$b
- 		# note that the $ is escaped -- the variable will be
- 		# expanded later (when it's time to draw the prompt)
  		b="\${__git_ps1_branch_name}"
  	fi