patch 9.2.0188: Can set environment variables in restricted mode

Problem:  Can set environment variables in restricted mode
Solution: Disallow setting environment variables using legacy Vim script
          (pyllyukko).

related: #13394
related: #19705
closes:  #19704

Signed-off-by: pyllyukko <pyllyukko@maimed.org>
Signed-off-by: Christian Brabandt <cb@256bit.org>

runtime/doc/starting.txt

@@ -1,4 +1,4 @@
-*starting.txt*	For Vim version 9.2.  Last change: 2026 Feb 25
+*starting.txt*	For Vim version 9.2.  Last change: 2026 Mar 17
 
 
 		  VIM REFERENCE MANUAL	  by Bram Moolenaar
@@ -252,7 +252,8 @@ a slash.  Thus "-R" means recovery and "-/R" readonly.
 		":sh", filtering, the |system()| function, backtick expansion
 		and libcall().
 		Also disallowed are |delete()|, |rename()|, |mkdir()|,
-		|job_start()|, |setenv()| etc.
+		|job_start()|, |setenv()| and setting environment variables,
+		etc.
 		Interfaces, such as Python, Ruby and Lua, are also disabled,
 		since they could be used to execute shell commands.  Perl uses
 		the Safe module.

runtime/doc/version9.txt

@@ -1,4 +1,4 @@
-*version9.txt*	For Vim version 9.2.  Last change: 2026 Mar 16
+*version9.txt*	For Vim version 9.2.  Last change: 2026 Mar 17
 
 
 		  VIM REFERENCE MANUAL	  by Bram Moolenaar
@@ -52595,8 +52595,10 @@ between them is small (5 bytes or less) and contains only non-word characters.
 This prevents fragmented highlighting when only whitespace or punctuation
 separates changes.
 
-Using external diff mode is no longer allowed when Vim is running in
-|restricted-mode|.
+Restricted mode~
+---------------
+Using external diff mode or setting environment variables is no longer allowed
+when Vim is running in |restricted-mode|.
 
 Other ~
 -----

src/evalvars.c

@@ -1712,7 +1712,7 @@ ex_let_env(
 	else if (endchars != NULL
 			      && vim_strchr(endchars, *skipwhite(arg)) == NULL)
 	    emsg(_(e_unexpected_characters_in_let));
-	else if (!check_secure())
+	else if (!check_secure() && !check_restricted())
 	{
 	    char_u	*tofree = NULL;
 	    int		c1 = name[len];

src/testdir/test_restricted.vim

@@ -138,7 +138,7 @@ func Test_restricted_diff()
   call delete('Xresult')
 endfunc
 
-func Test_restricted_vim9_env()
+func Test_restricted_env()
   let lines =<< trim END
       vim9script
       def SetEnv()
@@ -158,6 +158,22 @@ func Test_restricted_vim9_env()
     call assert_equal(['not-allowed'], readfile('XResult_env'))
   endif
   call delete('XResult_env')
+
+  let lines =<< trim END
+      try
+        let $ENV_TEST = 'val'
+        let result = 'okay'
+      catch /^Vim\%((\S\+)\)\=:E145:/
+        let result = 'not-allowed'
+      endtry
+      call writefile([result], 'XResult_env')
+      qa!
+  END
+  call writefile(lines, 'Xrestricted_legacy', 'D')
+  if RunVim([], [], '-Z --clean -S Xrestricted_legacy')
+    call assert_equal(['not-allowed'], readfile('XResult_env'))
+  endif
+  call delete('XResult_env')
 endfunc
 
 " vim: shiftwidth=2 sts=2 expandtab

src/version.c

@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    188,
 /**/
     187,
 /**/