From 2808b1a6533b1dc4e3dfa584037b746c86692c06 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E6=9D=8E=E9=80=9A=E6=B4=B2?= <carter.li@eoitek.com>
Date: Wed, 17 Jan 2024 23:45:39 +0800
Subject: [PATCH] TerminalShell: improve xonsh version detection

---
 src/detection/terminalshell/terminalshell.c       | 2 +-
 src/detection/terminalshell/terminalshell_linux.c | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/detection/terminalshell/terminalshell.c b/src/detection/terminalshell/terminalshell.c
index 118b4c70ff..98faad02c3 100644
--- a/src/detection/terminalshell/terminalshell.c
+++ b/src/detection/terminalshell/terminalshell.c
@@ -228,7 +228,7 @@ bool fftsGetShellVersion(FFstrbuf* exe, const char* exeName, FFstrbuf* version)
         return getExeVersionRaw(exe, version);
     if(strcasecmp(exeName, "ash") == 0)
         return getShellVersionAsh(exe, version);
-    if(strcasecmp(exeName, "python") == 0 && getenv("XONSH_VERSION"))
+    if((strcasecmp(exeName, "xonsh") == 0 || strcasecmp(exeName, "python") == 0) && getenv("XONSH_VERSION"))
     {
         ffStrbufSetS(version, getenv("XONSH_VERSION"));
         return true;
diff --git a/src/detection/terminalshell/terminalshell_linux.c b/src/detection/terminalshell/terminalshell_linux.c
index a9cbb9a472..397191e4e4 100644
--- a/src/detection/terminalshell/terminalshell_linux.c
+++ b/src/detection/terminalshell/terminalshell_linux.c
@@ -186,7 +186,8 @@ static pid_t getTerminalInfo(FFTerminalResult* result, pid_t pid)
             ffStrEquals(name, "git-shell")  ||
             ffStrEquals(name, "elvish")     ||
             ffStrEquals(name, "oil.ovm")    ||
-            (ffStrEquals(name, "python") && getenv("XONSH_VERSION"))
+            ffStrEquals(name, "xonsh")      ||
+            ffStrEndsWith(name, ".sh")
         )
         {
             pid = ppid;