mirror of
https://github.com/vim/vim.git
synced 2026-05-28 00:21:37 +02:00
patch 9.2.0341: some functions can be run from the sandbox
Problem: some functions can be run from the sandbox
Solution: Block them, so they are not accessible from a modeline
(q1uf3ng)
closes: #19975
Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: q1uf3ng <q1uf3ng@protone.me>
Signed-off-by: Christian Brabandt <cb@256bit.org>
This commit is contained in:
q1uf3ng
committed by
Christian Brabandt
Christian Brabandt
parent
6836599733
commit
fcc4276db3
@@ -4391,6 +4391,9 @@ f_echoraw(typval_T *argvars, typval_T *rettv UNUSED)
|
||||
{
|
||||
char_u *str;
|
||||
|
||||
if (check_secure())
|
||||
return;
|
||||
|
||||
if (in_vim9script() && check_for_string_arg(argvars, 0) == FAIL)
|
||||
return;
|
||||
|
||||
|
||||
+1
-1
@@ -552,7 +552,7 @@ EXCMD(CMD_echomsg, "echomsg", ex_execute,
|
||||
EX_EXTRA|EX_NOTRLCOM|EX_EXPR_ARG|EX_SBOXOK|EX_CMDWIN|EX_LOCK_OK,
|
||||
ADDR_NONE),
|
||||
EXCMD(CMD_echoconsole, "echoconsole", ex_execute,
|
||||
EX_EXTRA|EX_NOTRLCOM|EX_EXPR_ARG|EX_SBOXOK|EX_CMDWIN|EX_LOCK_OK,
|
||||
EX_EXTRA|EX_NOTRLCOM|EX_EXPR_ARG|EX_CMDWIN|EX_LOCK_OK,
|
||||
ADDR_NONE),
|
||||
EXCMD(CMD_echon, "echon", ex_echo,
|
||||
EX_EXTRA|EX_NOTRLCOM|EX_EXPR_ARG|EX_SBOXOK|EX_CMDWIN|EX_LOCK_OK,
|
||||
|
||||
@@ -823,6 +823,9 @@ f_chdir(typval_T *argvars, typval_T *rettv)
|
||||
rettv->v_type = VAR_STRING;
|
||||
rettv->vval.v_string = NULL;
|
||||
|
||||
if (check_secure())
|
||||
return;
|
||||
|
||||
if (argvars[0].v_type != VAR_STRING)
|
||||
{
|
||||
// Returning an empty string means it failed.
|
||||
@@ -1727,6 +1730,8 @@ f_readdir(typval_T *argvars, typval_T *rettv)
|
||||
|
||||
if (rettv_list_alloc(rettv) == FAIL)
|
||||
return;
|
||||
if (check_secure())
|
||||
return;
|
||||
|
||||
if (in_vim9script()
|
||||
&& (check_for_string_arg(argvars, 0) == FAIL
|
||||
@@ -1780,6 +1785,8 @@ f_readdirex(typval_T *argvars, typval_T *rettv)
|
||||
|
||||
if (rettv_list_alloc(rettv) == FAIL)
|
||||
return;
|
||||
if (check_secure())
|
||||
return;
|
||||
|
||||
if (in_vim9script()
|
||||
&& (check_for_string_arg(argvars, 0) == FAIL
|
||||
@@ -2051,6 +2058,9 @@ read_file_or_blob(typval_T *argvars, typval_T *rettv, int always_blob)
|
||||
void
|
||||
f_readblob(typval_T *argvars, typval_T *rettv)
|
||||
{
|
||||
if (check_secure())
|
||||
return;
|
||||
|
||||
if (in_vim9script()
|
||||
&& (check_for_string_arg(argvars, 0) == FAIL
|
||||
|| check_for_opt_number_arg(argvars, 1) == FAIL
|
||||
@@ -2067,6 +2077,9 @@ f_readblob(typval_T *argvars, typval_T *rettv)
|
||||
void
|
||||
f_readfile(typval_T *argvars, typval_T *rettv)
|
||||
{
|
||||
if (check_secure())
|
||||
return;
|
||||
|
||||
if (in_vim9script()
|
||||
&& (check_for_nonempty_string_arg(argvars, 0) == FAIL
|
||||
|| check_for_opt_string_arg(argvars, 1) == FAIL
|
||||
|
||||
@@ -673,6 +673,13 @@ func Sandbox_tests()
|
||||
if has('unix')
|
||||
call assert_fails('cd `pwd`', 'E48:')
|
||||
endif
|
||||
call assert_fails("call echoraw('test')", 'E48:')
|
||||
call assert_fails("echoconsole 'test'", 'E48:')
|
||||
call assert_fails("call readfile('Xsomefile')", 'E48:')
|
||||
call assert_fails("call readblob('Xsomefile')", 'E48:')
|
||||
call assert_fails("call readdir('.')", 'E48:')
|
||||
call assert_fails("call readdirex('.')", 'E48:')
|
||||
call assert_fails("call chdir('.')", 'E48:')
|
||||
" some options cannot be changed in a sandbox
|
||||
call assert_fails('set exrc', 'E48:')
|
||||
call assert_fails('set cdpath', 'E48:')
|
||||
|
||||
@@ -734,6 +734,8 @@ static char *(features[]) =
|
||||
|
||||
static int included_patches[] =
|
||||
{ /* Add new patch number below this line */
|
||||
/**/
|
||||
341,
|
||||
/**/
|
||||
340,
|
||||
/**/
|
||||
|
||||
Reference in New Issue
Block a user