Problem: [security]: The netbeans defineAnnoType command passes typeName, fg and bg
unsanitized to coloncmd(), allowing a malicious server to inject
arbitrary Ex commands via '|'. Similarly, specialKeys does not
validate key tokens before building a map command.
Solution: Validate typeName, fg and bg against an allowlist of safe
characters before passing them to coloncmd()
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6
Supported by AI
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: channel: can bind to all network interfaces in ch_listen()
(after v9.2.0153)
Solution: Restrict to a valid hostname, do not allow to bind on all
network interfaces (Zdenek Dohnal).
This will prevent unintentional binding the process to public network
interfaces, and opening Vim to communication from outside network if
firewall allows it.
related: #19231
closes: #19799
Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: runtime(tar): some issues with lz4 support
Solution: Fix bugs (see below) (Aaron Burrow)
The tar plugin allows users to extract files from tar archives that are
compressed with lz4. But, tar#Extract() builds malformed extraction commands
for lz4-compressed tar archives. This commit fixes three issues in that code.
The first affects archives with a .tlz4 extension and the other two affect
archives with .tar.lz4 extension (but one of these is symmetric to the issue
that .tlz4 archives had).
(1) When trying to extract .tlz4 archives the command created by
tar#Extract looked like this:
tar -I lz4pxf foo.tlz4 foo
This isn't right. It should be something like this:
tar -I lz4 -pxf foo.tlz4 foo
This was happening because tar.plugin is just substituting on the
first - in "tar -pxf". This works fine if we just add a simple flag for
extraction (eg, z for .tgz), but for lz4 we need to add "-I lz4".
I don't believe that there is an obvious good way to fix this without
reworking the way the command is generated. Probably we should collect
the command and flags separately and the flags should be stored in a
set. Then put everything together into a string just before issuing it
as an extraction command. Unfortunately, this might break things for users
because they have access to tar_extractcmd.
This patch just makes the substitution a little bit more clever so that it
does the right thing when substituting on a string like "tar -pxf".
(2) .tar.lz4 extractions had the same issue, which my patch fixes in
the same way.
(3) .tar.lz4 extractions had another issue. There was a space missing
in the command generated by tar#Extract. This meant that commands
looked like this (notice the lack of space between the archive and output
file names):
tar -I lz4pxf foo.tar.lz4foo
This patch just puts a space where it should be.
Finally, I should note that ChatGPT 5.4 initially identified this issue
in the code and generated the test cases. I reviewed the test cases,
wrote the patch, and actually ran vim against the tests (both with and
without the patch).
closes: #19925
Signed-off-by: Aaron Burrow <burrows@fastmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: dist#vim9#Open() fails to open files with spaces on Linux
because Launch() splits the command string. Also,
background GUI viewers (e.g., xdg-open) crash with SIGPIPE
when Vim destroys the default job_start() IO pipes.
Solution: Use job_start() with 'sh -c' to let the POSIX shell parse
the shellescaped quotes safely. Set 'in_io', 'out_io', and
'err_io' to 'null' to completely detach the background
process and prevent pipe crashes. Unify the Launch()
execution block across all operating systems.
closes: #19928
fixes: #19916
Signed-off-by: Furkan Sahin <furkan-dev@proton.me>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: mismatch between return types and documentation
Solution: Fix documentation, update f_err_teapot() return type to void
(Hirohito Higashi)
- Fix summary table in builtin.txt: feedkeys, foreground, setcharsearch,
term_wait, test_void, wildtrigger, ch_sendraw from non-none to none;
listener_remove and prop_add from none to Number
- Fix err_teapot in evalfunc.c: ret_number_bool to ret_void
- Fix "Return type:" in detailed doc sections (64 functions across builtin.txt,
channel.txt, terminal.txt, popup.txt, testing.txt, textprop.txt) from wrong
types to void
- Add missing "Return type: void" for prompt_setcallback and prop_add_list
closes: #19922
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: runtime(netrw): RFC2396 decoding double escaping spaces
(lilydjwg, after 3e60f03d94)
Solution: Remove escape() call, since we are using fnameescape() anyhow
fixes: #19913
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Vim9: void function return value inconsistent between
script and :def
Solution: Make void built-in functions like bufload() return void
consistently (Hirohito Higashi)
In Vim9 script, calling a void built-in function (e.g. bufload()) at the
script level did not set rettv to VAR_VOID, making it appear to return
0. Inside :def it correctly returned VAR_VOID and raised E1031. Set
rettv to VAR_VOID after calling a ret_void built-in function in Vim9
script so the behavior is consistent.
Also fix the documentation for bufload() and ch_logfile() to correctly
state that the return type is void.
closes: #19919
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: The vimball plugin needs some love
(syndicate)
Solution: Clean-up, refactor and update the plugin,
in particular, catch path traversal attacks
This change does the following
- Clean up Indentation and remove calls to Decho
- Increase minimum Vim version to 7.4 for mkdir()
- Use mkdir() consistently
- Update Metadata Header
- Remove check for fnameescape()
- Catch path traversal attacks
- Add vimball basic tests
- Remove mentioning of g:vimball_mkdir in documentation
closes: #19921
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: runtime(zip): may write using absolute paths
(syndicate)
Solution: Detect this case and abort on Unix, warn in the documentation
about possible issues
Signed-off-by: Christian Brabandt <cb@256bit.org>
- Don't go over 78 columns.
- Change the first "and" to "or", as "or" is used below.
- Change "takes one" to "switches", as "one" may be mistaken as
referring to the command instead of the user.
- Use backticks in :h 'autowriteall' like in :h 'autowrite'.
closes: #19859
Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: filetype: not all ObjectScript routines are recognized
Solution: Also detect "%RO" and "iris" patterns inside *.rtn files
(Hannah Kimura)
closes: #19873
Signed-off-by: Hannah Kimura <hannah.kimura@intersystems.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Sway 1.11 added `security_context_v1` metadata as criteria:
- `sandbox_engine`
- `sandbox_app_id`
- `sandbox_instance_id`
Sway 1.12 will add the `tag` criteria for `xdg_toplevel_tag_v1`, as
well as the `hdr` output option (with options `on`, `off`, and
`toggle`).
closes: #19884
Signed-off-by: Felix Pehla <29adc1fd92@gmail.com>
Signed-off-by: James Eapen <james.eapen@vai.org>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Request less backtracking to function-name candidates for
nonlinear patterns with any regexp engine BUT force using
the old engine with these patterns to avoid incurring an
additional penalty, according to ":syntime report", when the
new regexp engine is preferred.
fixes: #19847closes: #19849
Signed-off-by: Aliaksei Budavei <0x000c70@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Explain how stdin/stdout/stderr are connected in term_start():
- On Unix, they default to pty; only "err_cb" switches stderr to a pipe,
which may cause output order differences due to buffering.
- On MS-Windows with ConPTY, they are always pipes and stdout/stderr
share the same pipe, so "err_cb" cannot separate them.
related: #16354
Co-authored-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: runtime(vimgoto): not correctly escaping the filenames
Solution: Use fnamescape() (Michał Majchrowicz)
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: runtime(typeset) does not escape the detected directory
Solution: Use fnameescape() (Michał Majchrowicz)
fyi @lifepillar
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: runtime(context) does not escape the detected log file
Solution: Use fnameescape() (Michał Majchrowicz)
fyi @lifepillar
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: system() and systemlist() only accept a String, requiring
manual shell escaping for arguments with special characters.
Solution: Accept a List as the first argument and execute the command
bypassing the shell (Yasuhiro Matsumoto).
fixes: #19789closes: #19791
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: json_decode() accepted keywords case-insensitively, violating
RFC 7159. Both json_decode() and js_decode() silently accepted
lone surrogates, which are invalid Unicode.
Solution: Only allow lowercase keyword in json_decode(), reject lone
surrogates, improve encoding performance in write_string() and
blob byte serialization.
1. Fix surrogate pair range check (0xDFFF -> 0xDBFF) so only high
surrogates trigger pair decoding. Reject lone surrogates that do
not form a valid pair instead of producing invalid UTF-8.
2. Use case-sensitive matching for JSON keywords (true, false, null,
NaN, Infinity) in json_decode() per RFC 7159. js_decode() retains
case-insensitive behavior.
3. Replace double ga_append() calls for escape sequences with single
GA_CONCAT_LITERAL() calls, halving function call and buffer growth
check overhead.
4. Replace vim_snprintf_safelen() for blob byte encoding (0-255) with
direct digit conversion.
closes: #19807
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
- Highlight keywords "function" and "namespace" with
the "Keyword" group ("shFunctionKey").
- Highlight function body delimiters "{" and "}" with the
"Delimiter" group ("shFunctionExprRegion").
- Highlight function body delimiters "(" and ")" with the
"Operator" group ("shFunctionSubShRegion").
- Also, follow one style in folding all supported variants
of function bodies for grouping commands too by enclosing
a delimited function body, e.g. "{" and "}", in a fold and
leaving its function header, e.g. "function f()", out of
it when the header is written on a separate line.
To restore previous colouring, add to "after/syntax/sh.vim":
------------------------------------------------------------
hi link shFunctionKey Function
hi link shFunctionExprRegion Function
hi link shFunctionSubShRegion Function
------------------------------------------------------------
fixes: https://github.com/vim/vim/pull/19638#issuecomment-4052635546closes: #19638
Signed-off-by: Aliaksei Budavei <0x000c70@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
\a in Vim's regex matches [A-Za-z], not the BEL character (0x07).
This caused the OSC 8 hyperlink stripping pattern to incorrectly
match alphabetic characters, breaking man page display.
Use \x07 (inside []) and %x07 (outside []) to correctly match BEL.
closes: #19806
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: stack-overflow with deeply nested data in json_encode/decode()
(ZyX-I)
Solution: Add depth limit check using 'maxfuncdepth' to
json_encode_item() and json_decode_item() to avoid crash when
encoding/decoding deeply nested lists, dicts, or JSON arrays/objects,
fix typo in error name, add tests (Yasuhiro Matsumoto).
fixes: #588closes: #19808
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Yasuhiro Matsumoto
Christian Brabandt
Antonin Godard
Zdenek Dohnal
Mao-Yining
Hirohito Higashi
Aaron Burrow
Furkan Sahin
Carlo Klapproth
zeertzjq
Hannah
Felix Pehla
Peter Kenny
Aliaksei Budavei
RestorerZ
Thomas Braun
rendcrx
Ola Söder
Antonio Giovanni Colombo
Anakin Childerhose