From: Frank Terbeck <ft@grml.org>
Date: Sat, 25 Mar 2017 17:01:32 +0000 (+0100)
Subject: prompt_grml: Add documentation for strip-sensitive-characters
X-Git-Tag: v0.14.1~3
X-Git-Url: http://git.grml.org/?p=grml-etc-core.git;a=commitdiff_plain;h=5352f45b70ba9ae21cecfd694b4bc00e2e609183

prompt_grml: Add documentation for strip-sensitive-characters
---

diff --git a/etc/zsh/zshrc b/etc/zsh/zshrc
index 4d9b9ad..6b28940 100644
--- a/etc/zsh/zshrc
+++ b/etc/zsh/zshrc
@@ -2001,6 +2001,19 @@ function prompt_grml_help () {
           accordingly. Default (left): rc change-root user at host path vcs
           percent; Default (right): sad-smiley
 
+        - strip-sensitive-characters (boolean): If the \`prompt_subst' option
+          is active in zsh, the shell performs lots of expansions on prompt
+          variable strings, including command substitution. So if you don't
+          control where some of your prompt strings is coming from, this is
+          an exploitable weakness. Grml's zsh setup does not set this option
+          and it is off in the shell in zsh-mode by default. If it *is* turned
+          on however, this style becomes active, and there are two flavours of
+          it: On per default is a global variant in the '*:setup' context. This
+          strips characters after the whole prompt string was constructed. There
+          is a second variant in the '*:items:<item>', that is off by default.
+          It allows fine grained control over which items' data is stripped.
+          The characters that are stripped are: \$ and \`.
+
     Available styles in 'items:<item>' are: pre, post. These are strings that
     are inserted before (pre) and after (post) the item in question. Thus, the
     following would cause the user name to be printed in red instead of the