OS Command Injection in ohmyzsh/ohmyzsh

# Vulnerability in `rand-quote` and `hitokoto` plugins **Description**: the `rand-quote` and `hitokoto` fetch quotes from quotationspage.com and hitokoto.cn respectively, do some process on them and then use `print -P` to print them. If these quotes contained the proper symbols, they could trigger command injection. Given that they're an external API, it's not possible to know if the quotes are safe to use. **Fixed in**: [72928432](https://github.com/ohmyzsh/ohmyzsh/commit/72928432). **Impacted areas**: - `rand-quote` plugin (`quote` function). - `hitokoto` plugin (`hitokoto` function).

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

ohmyzsh 操作系统命令注入漏洞

ohmyzsh是一个开源的、社区驱动的框架，用于管理您的zsh配置。 ohmyzsh 存在操作系统命令注入漏洞，攻击者可以利用该漏洞通过rand-quote和hitokoto插件触发命令注入。

N/A

N/A