Mercurial > vim

changeset 16726:fbab59a5ee6b v8.1.1365

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
patch 8.1.1365: source command doesn't check for the sandbox commit https://github.com/vim/vim/commit/53575521406739cf20bbe4e384d88e7dca11f040 Author: Bram Moolenaar <Bram@vim.org> Date: Wed May 22 22:38:25 2019 +0200 patch 8.1.1365: source command doesn't check for the sandbox Problem: Source command doesn't check for the sandbox. (Armin Razmjou) Solution: Check for the sandbox when sourcing a file.
author Bram Moolenaar <Bram@vim.org>
date Wed, 22 May 2019 22:45:05 +0200
parents 719dbc0bed23
children 8be69877c5de
files src/getchar.c src/testdir/test_source.vim src/version.c
diffstat 3 files changed, 17 insertions(+), 0 deletions(-) [+]
line wrap: on
line diff
--- a/src/getchar.c
+++ b/src/getchar.c
@@ -1407,6 +1407,12 @@ openscript(
 	emsg(_(e_nesting));
 	return;
     }
+
+    // Disallow sourcing a file in the sandbox, the commands would be executed
+    // later, possibly outside of the sandbox.
+    if (check_secure())
+	return;
+
 #ifdef FEAT_EVAL
     if (ignore_script)
 	/* Not reading from script, also don't open one.  Warning message? */
--- a/src/testdir/test_source.vim
+++ b/src/testdir/test_source.vim
@@ -36,3 +36,12 @@ func Test_source_cmd()
   au! SourcePre
   au! SourcePost
 endfunc
+
+func Test_source_sandbox()
+  new
+  call writefile(["Ohello\<Esc>"], 'Xsourcehello')
+  source! Xsourcehello | echo
+  call assert_equal('hello', getline(1))
+  call assert_fails('sandbox source! Xsourcehello', 'E48:')
+  bwipe!
+endfunc
--- a/src/version.c
+++ b/src/version.c
@@ -768,6 +768,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    1365,
+/**/
     1364,
 /**/
     1363,