Problem: tests: no tests for ch_listen() with IPs
Solution: Add tests that this is disallowed
(Zdenek Dohnal)
The functionality was removed, so the test is to make sure it fails
as expected.
closes: #19997
Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Before 71fd19d7ac this function went
through a `:!` command on all platforms, so it needed special escaping for `#` and
others. After that commit it doesn't go through that path on unix
platforms. Then with 48581f2ba9 this
escaping was re-added on unix and it's needs since it goes through
`sh -c`, but it should not have the extra escaping specific to `:!`.
Specifically my original broken command is:
```
PATH=/usr/bin:/bin VIMRUNTIME=~/dev/vim/runtime ./src/vim -u NONE -c 'call dist#vim9#Open("https://github.com/keith/dotfiles/blob/7bce9f5c697df6a549cf97bf5606d8b639e5bf5a/vimrc#L19")'
```
Where the `#L19` ends up being opened as `%5C#L19`. But I verified this
case still works as well:
```
PATH=/usr/bin:/bin VIMRUNTIME=~/dev/vim/runtime ./src/vim -u NONE -c 'call dist#vim9#Open("foo bar.txt")'
```
Which is what would otherwise break if we weren't doing any shell
escaping on unix.
closes: #19996
Signed-off-by: Keith Smiley <keithbsmiley@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Say explicitly that ":setlocal" sets the local value, while ":set" also
sets the global value.
related: #19993
Signed-off-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Added the fallowing.
djangoStatement:
- querystring: Added in version Django 5.2.
- lorem: Added in version Django 1.8.
- verbatim: Added in version Django 1.10.
djangoFilter:
- force_escape: Added in version Django 1.8.
- iriencode: Added in version Django 1.8.
- json_script: Added in version 2.1.
- truncatechars_html: Added in version 1.7.
> According to current documentation the added keywords are supported [Django version 6](https://docs.djangoproject.com/en/6.0/ref/templates/builtins).
related: #19994
Signed-off-by: tecis <67809811+tecis@users.noreply.github.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Cannot handle mouse-clicks in the tabpanel
Solution: Add support using the %[FuncName] atom for the tabpanel
(Yasuhiro Matsumoto)
Extend the statusline/tabline click region mechanism to work with
'tabpanel'. The callback receives a dict with "area" set to "tabpanel"
and a "tabnr" key indicating which tab page label was clicked.
closes: #19960
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: wrong VertSplitNC highlighting on winbar
(Maxim Kim, after v9.2.0349)
Solution: Use VertSplit instead of VertSplitNC for winbar rows
(Hirohito Higashi).
vsep_row_is_curwin() and right_neighbor_at_row() used W_WINROW() which
excludes winbar rows from the window's range. This caused the vertical
separator at winbar rows to use VertSplitNC even when curwin is adjacent.
Use w_winrow directly so winbar rows are included in the range check.
fixes: #19985closes: #19987
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: runtime(vimball): still path traversal attacks possible
Solution: block Windows driver letter paths (Yasuhiro Matsumoto)
The path traversal check in vimball#Vimball() did not reject file
names starting with a Windows drive letter (e.g. "C:/foo"). Backslashes
are normalized to forward slashes earlier, so UNC paths are caught by
the leading-slash check, but absolute drive-letter paths slipped
through and could write outside of g:vimball_home on Windows.
Add a "^\a:" check next to the existing "^/" check, and cover it with
a new test.
closes: #19989
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: [security]: command injection via backticks in tag files
(Srinivas Piskala Ganesh Babu, Andy Ngo)
Solution: Disallow backticks before attempting to expand filenames.
Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-cwgx-gcj7-6qh8
Supported by AI
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Cannot apply 'scrolloff' context lines at end of file
Solution: Add the 'scrolloffpad' option to keep 'scrolloff' context even
when at the end of the file (McAuley Penney).
closes: #19040
Signed-off-by: McAuley Penney <jacobmpenney@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: runtime(tar): missing path traversal checks in tar#Extract()
Solution: Add check for leading slash, however gnu tar should already
detect this (q1uf3ng)
tar#Extract() did not check for ../ sequences or absolute paths,
unlike zip#Extract() which was patched in recent commits. Add the
same checks: ../ (relative traversal), leading slash (Unix), drive
letter and UNC/leading slash (Windows).
closes: #19981
Signed-off-by: q1uf3ng <q1uf3ng@protone.me>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: filetype: not all Bitbake include files are recognized
Solution: Enhance the file detection logic and consider varflags
(Martin Schwan)
closes: #19983
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Enable syntax highlighting for forward-slashes in Bitbake variables with
varflags. Bitbake allows for forward-slashes in both the variable name
and their potential varflags. E.g. the following should match:
FOO_BAR[baz] = "foobar"
FOO_BAR_foo/bar[baz] = "foobar"
FOO_BAR_foo/bar[baz/bazzer] = "foobar"
Also allow plus-signs in variable names, to be in line with normal
variable names.
related: #19983
Signed-off-by: Martin Schwan <m.schwan@phytec.de>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: 'winhighlight' of left window blends into right window
Solution: Allow to push a NULL highlight override (Foxe Chen)
closes: #19980
Signed-off-by: Foxe Chen <chen.foxe@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: repeat_string() can be improved
Solution: Replace the for() loop by an exponential growing while loop
(Yasuhiro Matsumoto)
closes: #19977
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
zip#Write(): the Windows path check did not match a single leading
slash (/path), which resolves to the current drive root on Windows.
Simplify the regex to match any leading slash or backslash.
zip#Extract(): add absolute path checks for both Unix and Windows,
matching the existing checks in zip#Write().
closes: #19976
Signed-off-by: q1uf3ng <glna9@protonmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Enabling modelines poses a risk, cannot whitelist specific
modelines
Solution: Include the 'modelinestrict' option, enabled by default, that
allows only a few very specific modelines, all others will be
ignored
When set (which it is by default), only the following settings will be
applied, all others will be ignored:
'autoindent'
'cindent'
'commentstring'
'expandtab'
'filetype'
'foldcolumn'
'foldenable'
'foldmethod'
'modifiable'
'readonly'
'rightleft'
'shiftwidth'
'smartindent'
'softtabstop'
'spell'
'spelllang'
'tabstop'
'textwidth'
'varsofttabstop'
'vartabstop'
Supported by AI
closes: #19875
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: cannot style non-current window separator
Solution: Add the VertSplitNC highlighting group
(Hirohito Higashi).
Add VertSplitNC highlight group for vertical separators of non-current
windows, similar to StatusLine/StatusLineNC distinction. The separator
adjacent to the current window uses VertSplit, others use VertSplitNC.
Default: linked to VertSplit.
At the current window's status line rows, the separator cell is drawn as
a space with the StatusLine highlight so it blends into the status line
without a stray fillchar glyph.
Also:
- :redrawstatus[!] now also redraws vertical separators.
- statusline height changes trigger vsep redraw.
closes: #19951
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: potential buffer underrun when settings statusline like option
(q1uf3ng)
Solution: Validate that p > out before accessing p[-1]
closes: #19961
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Vim9: script-local variable not found after function call
(Mao-Yining)
Solution: Accept a script local variable in a function which overrides a
previous block-scope variable (Yegappan Lakshmanan)
fixes: #19959closes: #19963
Signed-off-by: Yegappan Lakshmanan <yegappan@yahoo.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Wrong cursor position when entering command line window
Solution: Add check_cursor() command to verify the cursor position
(Hirohito Higashi).
When opening the command-line window with CTRL-F after typing a command
that fills the screen width, the cursor was placed past the end of the
line. Add check_cursor() after setting State to MODE_NORMAL so the
cursor is adjusted to the last character.
Also fix the cmdwin prefix character (e.g. ':') being drawn on wrapped
continuation rows. Draw an empty space instead so that the text
alignment is preserved.
closes: #19964
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Hirohito Higashi <h.east.727@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: channel: ch_listen() can bind to network interface
Solution: Only allow to use Unix domain sockets or localhost interface
(Zdenek Dohnal)
related: #19231
related: #19799
closes: #19973
Signed-off-by: Zdenek Dohnal <zdohnal@redhat.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: tests: test_clientserver may fail on slower systems
Solution: Wait for argc() before checking argv() (James McCoy).
On slower systems, the argv() check may run before the server has
populated the arg list.
Add a wait for argc() to be 3 to be more tolerant of such systems
closes: #19974
Signed-off-by: James McCoy <jamessan@jamessan.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: tests: test_excmd.vim leaves swapfiles behind
Solution: Close open buffer using :bw!
related: #19975
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: some functions can be run from the sandbox
Solution: Block them, so they are not accessible from a modeline
(q1uf3ng)
closes: #19975
Co-authored-by: zeertzjq <zeertzjq@outlook.com>
Signed-off-by: q1uf3ng <q1uf3ng@protone.me>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: nfa_regmatch() allocates and frees two list buffers on every
call, causing unnecessary memory allocation overhead for
frequently used patterns.
Solution: Cache the list buffers in the regprog struct and reuse them
on subsequent top-level calls. Recursive calls still allocate
their own buffers. Free cached buffers in nfa_regfree()
(Yasuhiro Matsumoto).
Benchmark: 10K lines, `:%s` x50 iterations
| Pattern | Before | After | Improvement |
|---|---|---|---|
| `\<\(\w\+\%(ing\|tion\|ed\|ly\)\|\w\{3,}\)\>` (many matches) | 4.384s | 4.299s | -2% |
| `\(foo\|bar\|baz\)\{3,}\(qux\|quux\|corge\)\{2,}...` (no match, high nstate) | 16.927s | 3.015s | -82% |
closes: #19956
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Allow to configure max length for the summary line and fall back to gits
setting.
closes: #19905
Signed-off-by: Emilia <emilia@bewitching.dev>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: Cannot handle mouseclicks in the tabline
Solution: Support %[FuncName] click regions in 'tabline', add "area" key
to the click info dict (Yasuhiro Matsumoto).
The previous implementation resolved and stored click regions only for
per-window statuslines; the tabline path in win_redr_custom() (wp==NULL)
parsed %[FuncName] but discarded the regions, and tabline clicks were
dispatched via TabPageIdxs[] which didn't know about them.
Add a global tabline_stl_click array populated from the tabline path,
refactor stl_click_handler() to take the regions directly, and dispatch
matching clicks from do_mouse() before falling through to tab selection.
The winid entry in the callback dict is 0 for tabline clicks.
related: #19841
closes: #19950
Supported by AI.
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: check_range_index_one() expects a long * but n1 is a
varnumber_T. Casting varnumber_T * to long * is undefined
behaviour and reads the wrong bytes on big-endian platforms
(John Paul Adrian Glaubitz)
Solution: Use a local long variable and pass that pointer to
check_range_index_one() (James McCoy)
fixes: #19798closes: #19952
Signed-off-by: James McCoy <jamessan@jamessan.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: libvterm: no terminal reflow support
Solution: Support for reflowing, sync libvterm to revision 843
(Cimbali)
fixes: #2865closes: #8365closes: #19863
Co-authored-by: Paul "LeoNerd" Evans <leonerd@leonerd.org.uk>
Signed-off-by: Cimbali <me@cimba.li>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: On GTK3 with client-side decorations the window opens with
wrong &columns/&lines, and each :tabnew/:tabclose cycle
shrinks the size further.
Solution: Measure and compensate for the CSD frame offset, discard
spurious configure events from tabline show/hide
(Gary Johnson).
closes: #19853
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Signed-off-by: Gary Johnson <garyjohn@spocom.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Problem: popup: still opacity rendering issues
Solution: Fix remaining issues, see below
(Yasuhiro Matsumoto).
This PR fixes the following issues:
- Padding blend hole at wide char boundary: when a padding cell overlaps
the second half of a wide character, the right half's attr value is
unreliable. Use the left half's saved attr for blending instead.
- Wide char background split at popup boundary: when a wide character in
an upper popup straddles the edge of a lower opacity popup, both
halves got different background colors. Since terminals cannot render
different left/right background colors for a wide character, detect
the lower popup with popup_is_over_opacity() and use the non-popup
side's underlying attr for both halves.
- Wrong blend color with cterm-only highlights under 'termguicolors':
when a popup highlight has ctermbg but no guibg, bg_rgb is set to
CTERMCOLOR (not INVALCOLOR). hl_blend_attr() used this value as a real
RGB color, producing gray instead of the intended color. Use
COLOR_INVALID() to detect both INVALCOLOR and CTERMCOLOR, and fall back
to converting the cterm color number to RGB.
closes: #19943
Signed-off-by: Yasuhiro Matsumoto <mattn.jp@gmail.com>
Signed-off-by: Christian Brabandt <cb@256bit.org>
Zdenek Dohnal
Keith Smiley
zeertzjq
tecis
Christian Brabandt
Yasuhiro Matsumoto
Hirohito Higashi
McAuley Penney
q1uf3ng
Martin Schwan
John Marriott
Foxe Chen
Ozaki Kiichi
Yegappan Lakshmanan
James McCoy
Emilia
Cimbali
Gary Johnson
Nihaal Sangha