1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
To: vim_dev@googlegroups.com
Subject: Patch 8.1.1365
Fcc: outbox
From: Bram Moolenaar <Bram@moolenaar.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
------------
Patch 8.1.1365
Problem: Source command doesn't check for the sandbox. (Armin Razmjou)
Solution: Check for the sandbox when sourcing a file.
Files: src/getchar.c, src/testdir/test_source.vim
*** ../vim-8.1.1364/src/getchar.c 2019-05-19 21:57:05.670320399 +0200
--- src/getchar.c 2019-05-22 20:33:44.175220749 +0200
***************
*** 1407,1412 ****
--- 1407,1418 ----
emsg(_(e_nesting));
return;
}
+
+ // Disallow sourcing a file in the sandbox, the commands would be executed
+ // later, possibly outside of the sandbox.
+ if (check_secure())
+ return;
+
#ifdef FEAT_EVAL
if (ignore_script)
/* Not reading from script, also don't open one. Warning message? */
*** ../vim-8.1.1364/src/testdir/test_source.vim 2019-01-12 13:25:42.633479785 +0100
--- src/testdir/test_source.vim 2019-05-22 20:44:58.887015783 +0200
***************
*** 36,38 ****
--- 36,47 ----
au! SourcePre
au! SourcePost
endfunc
+
+ func Test_source_sandbox()
+ new
+ call writefile(["Ohello\<Esc>"], 'Xsourcehello')
+ source! Xsourcehello | echo
+ call assert_equal('hello', getline(1))
+ call assert_fails('sandbox source! Xsourcehello', 'E48:')
+ bwipe!
+ endfunc
*** ../vim-8.1.1364/src/version.c 2019-05-21 23:08:56.969600854 +0200
--- src/version.c 2019-05-22 22:37:10.196825450 +0200
***************
*** 769,770 ****
--- 769,772 ----
{ /* Add new patch number below this line */
+ /**/
+ 1365,
/**/
--
hundred-and-one symptoms of being an internet addict:
13. You refer to going to the bathroom as downloading.
/// Bram Moolenaar -- Bram@Moolenaar.net -- http://www.Moolenaar.net \\\
/// sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\ an exciting new programming language -- http://www.Zimbu.org ///
\\\ help me help AIDS victims -- http://ICCF-Holland.org ///
|
