Mercurial > vim
view runtime/doc/sponsor.txt @ 33664:06b59278bfcf v9.0.2070
patch 9.0.2070: [security] disallow setting env in restricted mode
Commit: https://github.com/vim/vim/commit/6b89dd6a7257a1e2e9c7ea070b407bc4674a5118
Author: Christian Brabandt <cb@256bit.org>
Date: Thu Oct 26 22:14:17 2023 +0200
patch 9.0.2070: [security] disallow setting env in restricted mode
Problem: [security] disallow setting env in restricted mode
Solution: Setting environment variables in restricted mode could
potentially be used to execute shell commands. Disallow this.
restricted mode: disable allow setting of environment variables
Setting environment variables in restricted mode, may have some unwanted
consequences. So, for example by setting $GCONV_PATH in restricted mode
and then calling the iconv() function, one may be able to execute some
unwanted payload, because the `iconv_open()` function internally uses
the `$GCONV_PATH` variable to find its conversion data.
So let's disable setting environment variables, even so this is no
complete protection, since we are not clearing the existing environment.
I tried a few ways but wasn't successful :(
One could also argue to disable the iconv() function completely in
restricted mode, but who knows what other API functions can be
influenced by setting some other unrelated environment variables.
So let's leave it as it is currently.
closes: #13394
See: https://huntr.com/bounties/b0a2eda1-459c-4e36-98e6-0cc7d7faccfe/
Signed-off-by: Christian Brabandt <cb@256bit.org>
author | Christian Brabandt <cb@256bit.org> |
---|---|
date | Thu, 26 Oct 2023 22:30:03 +0200 |
parents | b2e8663e6dcc |
children | 4635e43f2c6f |
line wrap: on
line source
*sponsor.txt* For Vim version 9.0. Last change: 2023 Mar 24 VIM REFERENCE MANUAL by Bram Moolenaar SPONSOR VIM DEVELOPMENT *sponsor* Fixing bugs and adding new features takes a lot of time and effort. To show your appreciation for the work and motivate Bram and others to continue working on Vim please send a donation. Since Bram does not need the money it will be used to help children in Uganda, see |uganda|. Donations increase Bram's motivation to keep working on Vim! For the most recent information about sponsoring look on the Vim web site: http://www.vim.org/sponsor/ More explanations can be found in the |sponsor-faq|. REGISTERED VIM USER *register* You can become a registered Vim user by sending at least 10 euro. This works similar to sponsoring Vim, see |sponsor| above. Registration was made possible for the situation where your boss or bookkeeper may be willing to register software, but does not like the terms "sponsoring" and "donation". More explanations can be found in the |register-faq|. VOTE FOR FEATURES *vote-for-features* To give registered Vim users and sponsors an advantage over lurkers they can vote for the items Bram should work on. How does this voting work? 1. You send at least 10 euro. See below for ways to transfer money |send-money|. 2. You will be e-mailed a registration key. Enter this key on your account page on the Vim website. You can easily create an account if you don't have one yet. 3. You can enter your votes on the voting page. There is a link to that page on your account page after entering a registration key. Your votes will be counted for two years. 4. The voting results appear on the results page, which is visible for everybody: http://www.vim.org/sponsor/vote_results.php Additionally, once you have sent 100 euro or more in total, your name appears in the "Vim hall of honour": http://www.vim.org/sponsor/hall_of_honour.php But only if you enable this on your account page. HOW TO SEND MONEY *send-money* Credit card Through PayPal, see the PayPal site for information: https://www.paypal.com/ The e-mail address for sending sponsorship money is: donate@vim.org The e-mail address for Vim registration is: register@vim.org Using Euro is preferred, other currencies are also accepted. In Euro countries a bank transfer is preferred, this has lower costs. Other methods See |iccf-donations|. Include "Vim sponsor" or "Vim registration" in the comment of your money transfer. Send me an e-mail that mentions the amount you transferred if you want to vote for features and show others you are a registered Vim user or sponsor. QUESTIONS AND ANSWERS *sponsor-faq* *register-faq* Why should I give money? If you do not show your appreciation for Vim then Bram will be less motivated to fix bugs and add new features. He will do something else instead. How much money should I send? That is up to you. The more you give, the more children will be helped. An indication for individuals that use Vim at home: 10 Euro per year. For professional use: 30 Euro per year per person. Send at least 10 euro to be able to vote for features. What do I get in return? Each registered Vim user and sponsor who donates at least 10 euro will be able to vote for new features. These votes will give priority to the work on Vim. The votes are valid for two years. The more money you send the more your votes count |votes-counted|. If you send 100 Euro or more in total you will be mentioned on the "Vim hall of honour" page on the Vim web site. But only if you enable this on your account page. You can also select whether the amount will be visible. How do I become a Vim sponsor or registered Vim user? Send money, as explained above |send-money| and include your e-mail address. When the money has been received you will receive a unique registration key. This key can be used on the Vim website to activate voting on your Vim account. You will then get an extra page where you can vote for features and choose whether others will be able to see that you donated. There is a link to this page on your "My Account" page. What is the difference between sponsoring and registering? It has a different name. Use the term "registration" if your boss doesn't like "sponsoring" or "donation". The benefits are the same. How can I send money? See |send-money|. Check the web site for the most recent information: http://www.vim.org/sponsor/ Why don't you use the SourceForge donation system? SourceForge takes 5% of the donations for themselves. If you want to support SourceForge you can send money to them directly. I cannot afford to send money, may I still use Vim? Yes. I did not register Vim, can I use all available features? Yes. I noticed a bug, do I need to register before I can report it? No, suggestions for improving Vim can always be given. For improvements use the developer |maillist|, for reporting bugs see |bugs|. How are my votes counted? *votes-counted* You may vote when you send 10 euro or more. You can enter up to ten votes. You can select the same item several times to give it more points. You can also enter three counter votes, these count as negative points. When you send 30 euro or more the points are doubled. Above 100 euro they count four times, above 300 euro they count six times, above 1000 euro ten times. Can I change my votes? You can change your votes any time you like, up to two years after you sent money. The points will be counted right away. Can I add an item to vote on? Not directly. You can suggest items to vote on to Bram. He will consider fitting your item into the list. How about Charityware? Currently the Vim donations go to |uganda| anyway. Thus it doesn't matter if you sponsor Vim or ICCF. Except that Vim sponsoring will allow you to vote for features. I donated $$$, now please add feature XYZ! There is no direct relation between your donation and the work Bram does. Otherwise you would be paying for work and we would have to pay tax over the donation. If you want to hire Bram for specific work, contact him directly, don't use the donation system. Are the donations tax deductible? That depends on your country. The donations to help the children in |Uganda| are tax deductible in Holland, Germany, Canada and in the USA. See the ICCF website http://iccf-holland.org/donate.html. You must send an e-mail to Bram to let him know that the donation is done because of the use of Vim. Can you send me a bill? No, because there is no relation between the money you send and the work that is done. But a receipt is possible. vim:tw=78:ts=8:noet:ft=help:norl: